{"api_version":"1","generated_at":"2026-04-22T22:50:38+00:00","cve":"CVE-2021-42574","urls":{"html":"https://cve.report/CVE-2021-42574","api":"https://cve.report/api/cve/CVE-2021-42574.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-42574","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-42574"},"summary":{"title":"CVE-2021-42574","description":"** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-11-01 04:15:00","updated_at":"2023-11-07 03:39:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"https://www.scyon.nl/post/trojans-in-your-source-code","name":"https://www.scyon.nl/post/trojans-in-your-source-code","refsource":"MISC","tags":[],"title":"Trojans in your source code","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/1","name":"[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code","refsource":"MLIST","tags":[],"title":"oss-security - CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in\n source code","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/6","name":"[oss-security] 20211101 Trojan Source Attacks","refsource":"MLIST","tags":[],"title":"oss-security - Trojan Source Attacks","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202210-09","name":"GLSA-202210-09","refsource":"GENTOO","tags":[],"title":"Rust: Multiple Vulnerabilities (GLSA 202210-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/","name":"FEDORA-2021-443139f67c","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: rust-1.56.1-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.unicode.org/reports/tr31/","name":"https://www.unicode.org/reports/tr31/","refsource":"MISC","tags":[],"title":"UAX #31: Unicode Identifier and Pattern Syntax","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/","name":"FEDORA-2021-7ad3a01f6a","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: rust-1.56.1-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/11/02/10","name":"[oss-security] 20211102 Re: Trojan Source Attacks","refsource":"MLIST","tags":[],"title":"oss-security - Re: Trojan Source Attacks","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/","name":"FEDORA-2021-0578e23912","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: rust-1.56.1-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/","name":"FEDORA-2021-443139f67c","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: rust-1.56.1-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/","name":"FEDORA-2021-0578e23912","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: rust-1.56.1-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.kb.cert.org/vuls/id/999008","name":"VU#999008","refsource":"CERT-VN","tags":[],"title":"VU#999008 - Compilers permit Unicode control and homoglyph characters","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/5","name":"[oss-security] 20211102 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code","refsource":"MLIST","tags":[],"title":"oss-security - Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override\n codepoints in source code","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.starwindsoftware.com/security/sw-20220804-0002/","name":"https://www.starwindsoftware.com/security/sw-20220804-0002/","refsource":"MISC","tags":[],"title":"CVE-2021-42574 Bidirectional Algorithm issue in StarWind Products","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.unicode.org/reports/tr36/","name":"https://www.unicode.org/reports/tr36/","refsource":"MISC","tags":[],"title":"UTR #36: Unicode Security Considerations","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.unicode.org/reports/tr9/tr9-44.html#HL4","name":"https://www.unicode.org/reports/tr9/tr9-44.html#HL4","refsource":"MISC","tags":[],"title":"UAX #9: Unicode Bidirectional Algorithm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.unicode.org/versions/Unicode14.0.0/","name":"http://www.unicode.org/versions/Unicode14.0.0/","refsource":"MISC","tags":[],"title":"Unicode 14.0.0","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/4","name":"[oss-security] 20211101 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code","refsource":"MLIST","tags":[],"title":"oss-security - Re: CVE-2021-42574: rustc 1.56.0 and\n bidirectional-override codepoints in source code","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.unicode.org/reports/tr39/","name":"https://www.unicode.org/reports/tr39/","refsource":"MISC","tags":[],"title":"UTS #39: Unicode Security Mechanisms","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/","name":"FEDORA-2021-7ad3a01f6a","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: rust-1.56.1-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://trojansource.codes","name":"https://trojansource.codes","refsource":"MISC","tags":[],"title":"Trojan Source Attacks","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-42574","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42574","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"42574","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"42574","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"42574","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"42574","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"starwindsoftware","cpe5":"starwind_virtual_san","cpe6":"v8r13","cpe7":"14398","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"42574","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"unicode","cpe5":"unicode","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-42574","qid":"159440","title":"Oracle Enterprise Linux Security Update for binutils (ELSA-2021-4033)"},{"cve":"CVE-2021-42574","qid":"159524","title":"Oracle Enterprise Linux Security Update for gcc-toolset-10-gcc (ELSA-2021-4585)"},{"cve":"CVE-2021-42574","qid":"159525","title":"Oracle Enterprise Linux Security Update for gcc-toolset-11-gcc (ELSA-2021-4586)"},{"cve":"CVE-2021-42574","qid":"159526","title":"Oracle Enterprise Linux Security Update for gcc (ELSA-2021-4587)"},{"cve":"CVE-2021-42574","qid":"159527","title":"Oracle Enterprise Linux Security Update for rust-toolset:ol8 (ELSA-2021-4590)"},{"cve":"CVE-2021-42574","qid":"159528","title":"Oracle Enterprise Linux Security Update for gcc-toolset-11-annobin (ELSA-2021-4591)"},{"cve":"CVE-2021-42574","qid":"159529","title":"Oracle Enterprise Linux Security Update for gcc-toolset-10-annobin (ELSA-2021-4592)"},{"cve":"CVE-2021-42574","qid":"159530","title":"Oracle Enterprise Linux Security Update for annobin (ELSA-2021-4593)"},{"cve":"CVE-2021-42574","qid":"159531","title":"Oracle Enterprise Linux Security Update for gcc-toolset-11-binutils (ELSA-2021-4594)"},{"cve":"CVE-2021-42574","qid":"159532","title":"Oracle Enterprise Linux Security Update for binutils (ELSA-2021-4595)"},{"cve":"CVE-2021-42574","qid":"159536","title":"Oracle Enterprise Linux Security Update for gcc-toolset-10-binutils (ELSA-2021-4649)"},{"cve":"CVE-2021-42574","qid":"159537","title":"Oracle Enterprise Linux Security Update for llvm-toolset:ol8 (ELSA-2021-4743)"},{"cve":"CVE-2021-42574","qid":"184440","title":"Debian Security Update for rustc (CVE-2021-42574)"},{"cve":"CVE-2021-42574","qid":"239748","title":"Red Hat Update for binutils (RHSA-2021:4033)"},{"cve":"CVE-2021-42574","qid":"239749","title":"Red Hat Update for devtoolset-10-gcc (RHSA-2021:4039)"},{"cve":"CVE-2021-42574","qid":"239850","title":"Red Hat Update for gcc-toolset-11-binutils (RHSA-2021:4594)"},{"cve":"CVE-2021-42574","qid":"239851","title":"Red Hat Update for gcc-toolset-10-annobin (RHSA-2021:4589)"},{"cve":"CVE-2021-42574","qid":"239854","title":"Red Hat Update for binutils (RHSA-2021:4595)"},{"cve":"CVE-2021-42574","qid":"239855","title":"Red Hat Update for gcc-toolset-10-annobin (RHSA-2021:4592)"},{"cve":"CVE-2021-42574","qid":"239856","title":"Red Hat Update for gcc (RHSA-2021:4587)"},{"cve":"CVE-2021-42574","qid":"239857","title":"Red Hat Update for binutils (RHSA-2021:4602)"},{"cve":"CVE-2021-42574","qid":"239858","title":"Red Hat Update for gcc-toolset-10-gcc (RHSA-2021:4585)"},{"cve":"CVE-2021-42574","qid":"239859","title":"Red Hat Update for annobin (RHSA-2021:4600)"},{"cve":"CVE-2021-42574","qid":"239861","title":"Red Hat Update for gcc-toolset-11-gcc (RHSA-2021:4586)"},{"cve":"CVE-2021-42574","qid":"239862","title":"Red Hat Update for annobin (RHSA-2021:4598)"},{"cve":"CVE-2021-42574","qid":"239863","title":"Red Hat Update for annobin (RHSA-2021:4599)"},{"cve":"CVE-2021-42574","qid":"239864","title":"Red Hat Update for gcc-toolset-11-annobin (RHSA-2021:4591)"},{"cve":"CVE-2021-42574","qid":"239866","title":"Red Hat Update for binutils (RHSA-2021:4596)"},{"cve":"CVE-2021-42574","qid":"239867","title":"Red Hat Update for binutils (RHSA-2021:4601)"},{"cve":"CVE-2021-42574","qid":"239868","title":"Red Hat Update for gcc-toolset-10-binutils (RHSA-2021:4588)"},{"cve":"CVE-2021-42574","qid":"239870","title":"Red Hat Update for annobin (RHSA-2021:4593)"},{"cve":"CVE-2021-42574","qid":"239872","title":"Red Hat Update for rust-toolset:rhel8 (RHSA-2021:4590)"},{"cve":"CVE-2021-42574","qid":"239883","title":"Red Hat Update for devtoolset-11-gcc (RHSA-2021:4669)"},{"cve":"CVE-2021-42574","qid":"239886","title":"Red Hat Update for gcc-toolset-10-binutils (RHSA-2021:4649)"},{"cve":"CVE-2021-42574","qid":"239897","title":"Red Hat Update for devtoolset-10-annobin (RHSA-2021:4724)"},{"cve":"CVE-2021-42574","qid":"239898","title":"Red Hat Update for devtoolset-10-binutils (RHSA-2021:4723)"},{"cve":"CVE-2021-42574","qid":"239899","title":"Red Hat Update for devtoolset-11-binutils (RHSA-2021:4730)"},{"cve":"CVE-2021-42574","qid":"239900","title":"Red Hat Update for llvm-toolset:rhel8 (RHSA-2021:4743)"},{"cve":"CVE-2021-42574","qid":"239901","title":"Red Hat Update for devtoolset-11-annobin (RHSA-2021:4729)"},{"cve":"CVE-2021-42574","qid":"257129","title":"CentOS Security Update for binutils (CESA-2021:4033)"},{"cve":"CVE-2021-42574","qid":"282032","title":"Fedora Security Update for rust (FEDORA-2021-0578e23912)"},{"cve":"CVE-2021-42574","qid":"282046","title":"Fedora Security Update for rust (FEDORA-2021-443139f67c)"},{"cve":"CVE-2021-42574","qid":"296086","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 51.132.1 Missing (CPUOCT2022)"},{"cve":"CVE-2021-42574","qid":"353280","title":"Amazon Linux Security Advisory for gcc10, gcc : ALAS2-2022-1784"},{"cve":"CVE-2021-42574","qid":"354359","title":"Amazon Linux Security Advisory for gcc : ALAS2022-2022-222"},{"cve":"CVE-2021-42574","qid":"354368","title":"Amazon Linux Security Advisory for gcc : ALAS2022-2022-057"},{"cve":"CVE-2021-42574","qid":"354573","title":"Amazon Linux Security Advisory for gcc : ALAS-2022-222"},{"cve":"CVE-2021-42574","qid":"355160","title":"Amazon Linux Security Advisory for gcc : ALAS2023-2023-030"},{"cve":"CVE-2021-42574","qid":"377278","title":"Alibaba Cloud Linux Security Update for binutils (ALINUX2-SA-2021:0062)"},{"cve":"CVE-2021-42574","qid":"377566","title":"Alibaba Cloud Linux Security Update for rust-toolset:rhel8 (ALINUX3-SA-2022:0116)"},{"cve":"CVE-2021-42574","qid":"502185","title":"Alpine Linux Security Update for rust"},{"cve":"CVE-2021-42574","qid":"671352","title":"EulerOS Security Update for binutils (EulerOS-SA-2022-1262)"},{"cve":"CVE-2021-42574","qid":"671451","title":"EulerOS Security Update for binutils (EulerOS-SA-2022-1443)"},{"cve":"CVE-2021-42574","qid":"671471","title":"EulerOS Security Update for binutils (EulerOS-SA-2022-1422)"},{"cve":"CVE-2021-42574","qid":"671496","title":"EulerOS Security Update for binutils (EulerOS-SA-2022-1481)"},{"cve":"CVE-2021-42574","qid":"671514","title":"EulerOS Security Update for binutils (EulerOS-SA-2022-1500)"},{"cve":"CVE-2021-42574","qid":"672406","title":"EulerOS Security Update for binutils (EulerOS-SA-2022-2789)"},{"cve":"CVE-2021-42574","qid":"710640","title":"Gentoo Linux Rust Multiple Vulnerabilities (GLSA 202210-09)"},{"cve":"CVE-2021-42574","qid":"730247","title":"Atlassian Jira Server and Data Center Code Injection Vulnerability (JRASERVER-72978)"},{"cve":"CVE-2021-42574","qid":"730338","title":"Atlassian Confluence Server Code Injection Vulnerability (CONFSERVER-74534)"},{"cve":"CVE-2021-42574","qid":"730343","title":"Atlassian Bitbucket Server and Data Center Code Injection Vulnerability (CVE-2021-42574)"},{"cve":"CVE-2021-42574","qid":"730371","title":"McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)"},{"cve":"CVE-2021-42574","qid":"730383","title":"Atlassian Bamboo Server and Data Center Code Injection Vulnerability (CVE-2021-42574)"},{"cve":"CVE-2021-42574","qid":"730464","title":"Atlassian Jira Service Management Server and Insight Asset Management Vulnerability (JSDSERVER-10843)"},{"cve":"CVE-2021-42574","qid":"731326","title":"Atlassian Bamboo Server and Data Center Security Update (BAM-21479)"},{"cve":"CVE-2021-42574","qid":"940110","title":"AlmaLinux Security Update for gcc-toolset-10-binutils (ALSA-2021:4649)"},{"cve":"CVE-2021-42574","qid":"940112","title":"AlmaLinux Security Update for gcc-toolset-11-annobin (ALSA-2021:4591)"},{"cve":"CVE-2021-42574","qid":"940115","title":"AlmaLinux Security Update for rust-toolset:rhel8 (ALSA-2021:4590)"},{"cve":"CVE-2021-42574","qid":"940133","title":"AlmaLinux Security Update for gcc (ALSA-2021:4587)"},{"cve":"CVE-2021-42574","qid":"940190","title":"AlmaLinux Security Update for gcc-toolset-10-gcc (ALSA-2021:4585)"},{"cve":"CVE-2021-42574","qid":"940240","title":"AlmaLinux Security Update for gcc-toolset-10-annobin (ALSA-2021:4592)"},{"cve":"CVE-2021-42574","qid":"940301","title":"AlmaLinux Security Update for llvm-toolset:rhel8 (ALSA-2021:4743)"},{"cve":"CVE-2021-42574","qid":"940342","title":"AlmaLinux Security Update for gcc-toolset-11-gcc (ALSA-2021:4586)"},{"cve":"CVE-2021-42574","qid":"940360","title":"AlmaLinux Security Update for gcc-toolset-11-binutils (ALSA-2021:4594)"},{"cve":"CVE-2021-42574","qid":"940374","title":"AlmaLinux Security Update for binutils (ALSA-2021:4595)"},{"cve":"CVE-2021-42574","qid":"940410","title":"AlmaLinux Security Update for annobin (ALSA-2021:4593)"},{"cve":"CVE-2021-42574","qid":"960433","title":"Rocky Linux Security Update for gcc-toolset-10-gcc (RLSA-2021:4585)"},{"cve":"CVE-2021-42574","qid":"960674","title":"Rocky Linux Security Update for gcc-toolset-11-binutils (RLSA-2021:4594)"},{"cve":"CVE-2021-42574","qid":"960677","title":"Rocky Linux Security Update for gcc-toolset-10-binutils (RLSA-2021:4649)"},{"cve":"CVE-2021-42574","qid":"960679","title":"Rocky Linux Security Update for llvm-toolset:rhel8 (RLSA-2021:4743)"},{"cve":"CVE-2021-42574","qid":"960715","title":"Rocky Linux Security Update for gcc-toolset-11-annobin (RLSA-2021:4591)"},{"cve":"CVE-2021-42574","qid":"960716","title":"Rocky Linux Security Update for gcc-toolset-11-gcc (RLSA-2021:4586)"},{"cve":"CVE-2021-42574","qid":"960733","title":"Rocky Linux Security Update for rust-toolset:rhel8 (RLSA-2021:4590)"},{"cve":"CVE-2021-42574","qid":"960774","title":"Rocky Linux Security Update for gcc (RLSA-2021:4587)"},{"cve":"CVE-2021-42574","qid":"960791","title":"Rocky Linux Security Update for gcc-toolset-10-annobin (RLSA-2021:4592)"},{"cve":"CVE-2021-42574","qid":"960847","title":"Rocky Linux Security Update for annobin (RLSA-2021:4593)"},{"cve":"CVE-2021-42574","qid":"960862","title":"Rocky Linux Security Update for binutils (RLSA-2021:4595)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-42574","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"http://www.unicode.org/versions/Unicode14.0.0/","refsource":"MISC","name":"http://www.unicode.org/versions/Unicode14.0.0/"},{"refsource":"MISC","name":"https://trojansource.codes","url":"https://trojansource.codes"},{"refsource":"MLIST","name":"[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code","url":"http://www.openwall.com/lists/oss-security/2021/11/01/1"},{"refsource":"MLIST","name":"[oss-security] 20211101 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code","url":"http://www.openwall.com/lists/oss-security/2021/11/01/4"},{"refsource":"MLIST","name":"[oss-security] 20211101 Trojan Source Attacks","url":"http://www.openwall.com/lists/oss-security/2021/11/01/6"},{"refsource":"MLIST","name":"[oss-security] 20211102 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code","url":"http://www.openwall.com/lists/oss-security/2021/11/01/5"},{"refsource":"MLIST","name":"[oss-security] 20211102 Re: Trojan Source Attacks","url":"http://www.openwall.com/lists/oss-security/2021/11/02/10"},{"refsource":"FEDORA","name":"FEDORA-2021-0578e23912","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/"},{"refsource":"FEDORA","name":"FEDORA-2021-7ad3a01f6a","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/"},{"refsource":"CERT-VN","name":"VU#999008","url":"https://www.kb.cert.org/vuls/id/999008"},{"refsource":"FEDORA","name":"FEDORA-2021-443139f67c","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/"},{"refsource":"MISC","name":"https://www.scyon.nl/post/trojans-in-your-source-code","url":"https://www.scyon.nl/post/trojans-in-your-source-code"},{"refsource":"MISC","name":"https://www.unicode.org/reports/tr36/","url":"https://www.unicode.org/reports/tr36/"},{"refsource":"MISC","name":"https://www.unicode.org/reports/tr39/","url":"https://www.unicode.org/reports/tr39/"},{"refsource":"MISC","name":"https://www.unicode.org/reports/tr31/","url":"https://www.unicode.org/reports/tr31/"},{"refsource":"MISC","name":"https://www.unicode.org/reports/tr9/tr9-44.html#HL4","url":"https://www.unicode.org/reports/tr9/tr9-44.html#HL4"},{"refsource":"MISC","name":"https://www.starwindsoftware.com/security/sw-20220804-0002/","url":"https://www.starwindsoftware.com/security/sw-20220804-0002/"},{"refsource":"GENTOO","name":"GLSA-202210-09","url":"https://security.gentoo.org/glsa/202210-09"}]}},"nvd":{"publishedDate":"2021-11-01 04:15:00","lastModifiedDate":"2023-11-07 03:39:00","problem_types":["CWE-94"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.3,"baseSeverity":"HIGH"},"exploitabilityScore":1.6,"impactScore":6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":5.1},"severity":"MEDIUM","exploitabilityScore":4.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*","versionEndExcluding":"14.0.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8r13:14398:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"42574","Ordinal":"219067","Title":"CVE-2021-42574","CVE":"CVE-2021-42574","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"42574","Ordinal":"1","NoteData":"An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"42574","Ordinal":"2","NoteData":"2021-10-31","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"42574","Ordinal":"3","NoteData":"2021-11-10","Type":"Other","Title":"Modified"}]}}}