CVE-2021-42574

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-42574
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-11-01 04:15:00 UTC
Updated2023-11-07 03:39:00 UTC
Description** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.

Risk And Classification

Problem Types: CWE-94

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Fedoraproject Fedora 33 All All All
Operating System Fedoraproject Fedora 34 All All All
Operating System Fedoraproject Fedora 35 All All All
Application Starwindsoftware Starwind Virtual San v8r13 14398 All All
Application Unicode Unicode All All All All

References

ReferenceSourceLinkTags
Trojans in your source code MISC www.scyon.nl
oss-security - CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code MLIST www.openwall.com
oss-security - Trojan Source Attacks MLIST www.openwall.com
Rust: Multiple Vulnerabilities (GLSA 202210-09) — Gentoo security GENTOO security.gentoo.org
[SECURITY] Fedora 33 Update: rust-1.56.1-1.fc33 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
UAX #31: Unicode Identifier and Pattern Syntax MISC www.unicode.org
[SECURITY] Fedora 35 Update: rust-1.56.1-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
oss-security - Re: Trojan Source Attacks MLIST www.openwall.com
[SECURITY] Fedora 34 Update: rust-1.56.1-1.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 33 Update: rust-1.56.1-1.fc33 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 34 Update: rust-1.56.1-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
VU#999008 - Compilers permit Unicode control and homoglyph characters CERT-VN www.kb.cert.org
oss-security - Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code MLIST www.openwall.com
CVE-2021-42574 Bidirectional Algorithm issue in StarWind Products MISC www.starwindsoftware.com
UTR #36: Unicode Security Considerations MISC www.unicode.org
UAX #9: Unicode Bidirectional Algorithm MISC www.unicode.org
Unicode 14.0.0 MISC www.unicode.org
oss-security - Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code MLIST www.openwall.com
UTS #39: Unicode Security Mechanisms MISC www.unicode.org
[SECURITY] Fedora 35 Update: rust-1.56.1-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Trojan Source Attacks MISC trojansource.codes
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159440 Oracle Enterprise Linux Security Update for binutils (ELSA-2021-4033)
  • 159524 Oracle Enterprise Linux Security Update for gcc-toolset-10-gcc (ELSA-2021-4585)
  • 159525 Oracle Enterprise Linux Security Update for gcc-toolset-11-gcc (ELSA-2021-4586)
  • 159526 Oracle Enterprise Linux Security Update for gcc (ELSA-2021-4587)
  • 159527 Oracle Enterprise Linux Security Update for rust-toolset:ol8 (ELSA-2021-4590)
  • 159528 Oracle Enterprise Linux Security Update for gcc-toolset-11-annobin (ELSA-2021-4591)
  • 159529 Oracle Enterprise Linux Security Update for gcc-toolset-10-annobin (ELSA-2021-4592)
  • 159530 Oracle Enterprise Linux Security Update for annobin (ELSA-2021-4593)
  • 159531 Oracle Enterprise Linux Security Update for gcc-toolset-11-binutils (ELSA-2021-4594)
  • 159532 Oracle Enterprise Linux Security Update for binutils (ELSA-2021-4595)
  • 159536 Oracle Enterprise Linux Security Update for gcc-toolset-10-binutils (ELSA-2021-4649)
  • 159537 Oracle Enterprise Linux Security Update for llvm-toolset:ol8 (ELSA-2021-4743)
  • 184440 Debian Security Update for rustc (CVE-2021-42574)
  • 239748 Red Hat Update for binutils (RHSA-2021:4033)
  • 239749 Red Hat Update for devtoolset-10-gcc (RHSA-2021:4039)
  • 239850 Red Hat Update for gcc-toolset-11-binutils (RHSA-2021:4594)
  • 239851 Red Hat Update for gcc-toolset-10-annobin (RHSA-2021:4589)
  • 239854 Red Hat Update for binutils (RHSA-2021:4595)
  • 239855 Red Hat Update for gcc-toolset-10-annobin (RHSA-2021:4592)
  • 239856 Red Hat Update for gcc (RHSA-2021:4587)
  • 239857 Red Hat Update for binutils (RHSA-2021:4602)
  • 239858 Red Hat Update for gcc-toolset-10-gcc (RHSA-2021:4585)
  • 239859 Red Hat Update for annobin (RHSA-2021:4600)
  • 239861 Red Hat Update for gcc-toolset-11-gcc (RHSA-2021:4586)
  • 239862 Red Hat Update for annobin (RHSA-2021:4598)
  • 239863 Red Hat Update for annobin (RHSA-2021:4599)
  • 239864 Red Hat Update for gcc-toolset-11-annobin (RHSA-2021:4591)
  • 239866 Red Hat Update for binutils (RHSA-2021:4596)
  • 239867 Red Hat Update for binutils (RHSA-2021:4601)
  • 239868 Red Hat Update for gcc-toolset-10-binutils (RHSA-2021:4588)
  • 239870 Red Hat Update for annobin (RHSA-2021:4593)
  • 239872 Red Hat Update for rust-toolset:rhel8 (RHSA-2021:4590)
  • 239883 Red Hat Update for devtoolset-11-gcc (RHSA-2021:4669)
  • 239886 Red Hat Update for gcc-toolset-10-binutils (RHSA-2021:4649)
  • 239897 Red Hat Update for devtoolset-10-annobin (RHSA-2021:4724)
  • 239898 Red Hat Update for devtoolset-10-binutils (RHSA-2021:4723)
  • 239899 Red Hat Update for devtoolset-11-binutils (RHSA-2021:4730)
  • 239900 Red Hat Update for llvm-toolset:rhel8 (RHSA-2021:4743)
  • 239901 Red Hat Update for devtoolset-11-annobin (RHSA-2021:4729)
  • 257129 CentOS Security Update for binutils (CESA-2021:4033)
  • 282032 Fedora Security Update for rust (FEDORA-2021-0578e23912)
  • 282046 Fedora Security Update for rust (FEDORA-2021-443139f67c)
  • 296086 Oracle Solaris 11.4 Support Repository Update (SRU) 51.132.1 Missing (CPUOCT2022)
  • 353280 Amazon Linux Security Advisory for gcc10, gcc : ALAS2-2022-1784
  • 354359 Amazon Linux Security Advisory for gcc : ALAS2022-2022-222
  • 354368 Amazon Linux Security Advisory for gcc : ALAS2022-2022-057
  • 354573 Amazon Linux Security Advisory for gcc : ALAS-2022-222
  • 355160 Amazon Linux Security Advisory for gcc : ALAS2023-2023-030
  • 377278 Alibaba Cloud Linux Security Update for binutils (ALINUX2-SA-2021:0062)
  • 377566 Alibaba Cloud Linux Security Update for rust-toolset:rhel8 (ALINUX3-SA-2022:0116)
  • 502185 Alpine Linux Security Update for rust
  • 671352 EulerOS Security Update for binutils (EulerOS-SA-2022-1262)
  • 671451 EulerOS Security Update for binutils (EulerOS-SA-2022-1443)
  • 671471 EulerOS Security Update for binutils (EulerOS-SA-2022-1422)
  • 671496 EulerOS Security Update for binutils (EulerOS-SA-2022-1481)
  • 671514 EulerOS Security Update for binutils (EulerOS-SA-2022-1500)
  • 672406 EulerOS Security Update for binutils (EulerOS-SA-2022-2789)
  • 710640 Gentoo Linux Rust Multiple Vulnerabilities (GLSA 202210-09)
  • 730247 Atlassian Jira Server and Data Center Code Injection Vulnerability (JRASERVER-72978)
  • 730338 Atlassian Confluence Server Code Injection Vulnerability (CONFSERVER-74534)
  • 730343 Atlassian Bitbucket Server and Data Center Code Injection Vulnerability (CVE-2021-42574)
  • 730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)
  • 730383 Atlassian Bamboo Server and Data Center Code Injection Vulnerability (CVE-2021-42574)
  • 730464 Atlassian Jira Service Management Server and Insight Asset Management Vulnerability (JSDSERVER-10843)
  • 731326 Atlassian Bamboo Server and Data Center Security Update (BAM-21479)
  • 940110 AlmaLinux Security Update for gcc-toolset-10-binutils (ALSA-2021:4649)
  • 940112 AlmaLinux Security Update for gcc-toolset-11-annobin (ALSA-2021:4591)
  • 940115 AlmaLinux Security Update for rust-toolset:rhel8 (ALSA-2021:4590)
  • 940133 AlmaLinux Security Update for gcc (ALSA-2021:4587)
  • 940190 AlmaLinux Security Update for gcc-toolset-10-gcc (ALSA-2021:4585)
  • 940240 AlmaLinux Security Update for gcc-toolset-10-annobin (ALSA-2021:4592)
  • 940301 AlmaLinux Security Update for llvm-toolset:rhel8 (ALSA-2021:4743)
  • 940342 AlmaLinux Security Update for gcc-toolset-11-gcc (ALSA-2021:4586)
  • 940360 AlmaLinux Security Update for gcc-toolset-11-binutils (ALSA-2021:4594)
  • 940374 AlmaLinux Security Update for binutils (ALSA-2021:4595)
  • 940410 AlmaLinux Security Update for annobin (ALSA-2021:4593)
  • 960433 Rocky Linux Security Update for gcc-toolset-10-gcc (RLSA-2021:4585)
  • 960674 Rocky Linux Security Update for gcc-toolset-11-binutils (RLSA-2021:4594)
  • 960677 Rocky Linux Security Update for gcc-toolset-10-binutils (RLSA-2021:4649)
  • 960679 Rocky Linux Security Update for llvm-toolset:rhel8 (RLSA-2021:4743)
  • 960715 Rocky Linux Security Update for gcc-toolset-11-annobin (RLSA-2021:4591)
  • 960716 Rocky Linux Security Update for gcc-toolset-11-gcc (RLSA-2021:4586)
  • 960733 Rocky Linux Security Update for rust-toolset:rhel8 (RLSA-2021:4590)
  • 960774 Rocky Linux Security Update for gcc (RLSA-2021:4587)
  • 960791 Rocky Linux Security Update for gcc-toolset-10-annobin (RLSA-2021:4592)
  • 960847 Rocky Linux Security Update for annobin (RLSA-2021:4593)
  • 960862 Rocky Linux Security Update for binutils (RLSA-2021:4595)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report