CVE-2021-42694

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-42694
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-11-01 04:15:00 UTC
Updated2023-11-07 03:39:00 UTC
Description** DISPUTED ** An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.

Risk And Classification

Problem Types: NVD-CWE-Other

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Unicode Unicode All All All All

References

ReferenceSourceLinkTags
Trojans in your source code MISC www.scyon.nl
CWE - CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User (4.6) MISC cwe.mitre.org
oss-security - CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code MLIST www.openwall.com
oss-security - Trojan Source Attacks MLIST www.openwall.com
Rust: Multiple Vulnerabilities (GLSA 202210-09) — Gentoo security GENTOO security.gentoo.org
VU#999008 - Compilers permit Unicode control and homoglyph characters CERT-VN www.kb.cert.org
UTR #36: Unicode Security Considerations MISC www.unicode.org
Unicode 14.0.0 MISC www.unicode.org
UTS #39: Unicode Security Mechanisms MISC www.unicode.org
Trojan Source Attacks MISC trojansource.codes
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 710640 Gentoo Linux Rust Multiple Vulnerabilities (GLSA 202210-09)
  • 730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report