CVE-2021-42694

Published on: 10/31/2021 12:00:00 AM UTC

Last Modified on: 12/06/2022 09:31:00 PM UTC

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Certain versions of Unicode from Unicode contain the following vulnerability:

** DISPUTED ** An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.

  • CVE-2021-42694 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.3 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED HIGH HIGH HIGH

CVSS2 Score: 5.1 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK HIGH NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Trojans in your source code www.scyon.nl
text/html
URL Logo MISC www.scyon.nl/post/trojans-in-your-source-code
CWE - CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User (4.6) cwe.mitre.org
text/html
URL Logo MISC cwe.mitre.org/data/definitions/1007.html
oss-security - CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code www.openwall.com
text/html
URL Logo MLIST [oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code
oss-security - Trojan Source Attacks www.openwall.com
text/html
URL Logo MLIST [oss-security] 20211101 Trojan Source Attacks
Rust: Multiple Vulnerabilities (GLSA 202210-09) — Gentoo security security.gentoo.org
text/html
URL Logo GENTOO GLSA-202210-09
VU#999008 - Compilers permit Unicode control and homoglyph characters www.kb.cert.org
text/html
URL Logo CERT-VN VU#999008
UTR #36: Unicode Security Considerations www.unicode.org
text/html
URL Logo MISC www.unicode.org/reports/tr36/
Unicode 14.0.0 www.unicode.org
text/html
URL Logo MISC www.unicode.org/versions/Unicode14.0.0/
UTS #39: Unicode Security Mechanisms www.unicode.org
text/html
URL Logo MISC www.unicode.org/reports/tr39/
Trojan Source Attacks trojansource.codes
text/html
URL Logo MISC trojansource.codes

Related QID Numbers

  • 710640 Gentoo Linux Rust Multiple Vulnerabilities (GLSA 202210-09)
  • 730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationUnicodeUnicodeAllAllAllAll
  • cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @leo60228 @Jazardly_ @FakeUnicode yes, they got a cve assigned for that too (CVE-2021-42694) 2021-11-01 01:19:42
Twitter Icon @IgnotumAliquis @rossjanderson @VessOnSecurity Both CVE-2021-42574 and CVE-2021-42694. What am I doing wrong? https://t.co/rWjxYHeW8i 2021-11-01 01:23:08
Twitter Icon @CVEreport CVE-2021-42694 : An issue was discovered in the character definitions of the Unicode Specification through 14.0. Th… twitter.com/i/web/status/1… 2021-11-01 04:04:47
Twitter Icon @FakeUnicode Related: cve.report/CVE-2021-42694 "An issue was discovered in the character definitions of the Unicode Specification… twitter.com/i/web/status/1… 2021-11-01 04:12:56
Twitter Icon @mandel59 ホモグラフ攻撃自体は、自明な脆弱性だが… "An issue was discovered in the character definitions of the Unicode S… twitter.com/i/web/status/1… 2021-11-01 04:20:30
Twitter Icon @FakeUnicode Both relevant CVEs on @MITREcorp: 2021-11-01 04:50:16
Reddit Logo Icon /r/Wordpress WordPress and the new vulnerability Trojan Source (CVE-2021-42694 and CVE-2021-42574) 2021-11-04 15:10:42
Reddit Logo Icon /r/netsec WordPress and the new vulnerability Trojan Source (CVE-2021-42694 and CVE-2021-42574) 2021-11-04 15:10:20
© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report