CVE-2021-42694
Vulnerability from cvelistv5
Published
2021-11-01 00:00
Modified
2024-10-29 13:41
Summary
An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.
References
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2021/11/01/1Mailing List, Third Party Advisory
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2021/11/01/6Mailing List, Third Party Advisory
cve@mitre.orghttp://www.unicode.org/versions/Unicode14.0.0/Release Notes, Vendor Advisory
cve@mitre.orghttps://cwe.mitre.org/data/definitions/1007.htmlThird Party Advisory
cve@mitre.orghttps://security.gentoo.org/glsa/202210-09Third Party Advisory
cve@mitre.orghttps://trojansource.codesThird Party Advisory
cve@mitre.orghttps://www.kb.cert.org/vuls/id/999008Third Party Advisory, US Government Resource
cve@mitre.orghttps://www.scyon.nl/post/trojans-in-your-source-codeExploit, Third Party Advisory
cve@mitre.orghttps://www.unicode.org/reports/tr36/Technical Description, Vendor Advisory
cve@mitre.orghttps://www.unicode.org/reports/tr39/Technical Description, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2021/11/01/1Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2021/11/01/6Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.unicode.org/versions/Unicode14.0.0/Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://cwe.mitre.org/data/definitions/1007.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/202210-09Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://trojansource.codesThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.kb.cert.org/vuls/id/999008Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108https://www.scyon.nl/post/trojans-in-your-source-codeExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.unicode.org/reports/tr36/Technical Description, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.unicode.org/reports/tr39/Technical Description, Vendor Advisory
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "unicode",
            "vendor": "unicode",
            "versions": [
              {
                "lessThan": "14.0.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-42694",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-18T17:31:01.226978Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-94",
                "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-29T13:41:17.179Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:38:50.055Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.unicode.org/versions/Unicode14.0.0/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://trojansource.codes"
          },
          {
            "name": "[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1"
          },
          {
            "name": "[oss-security] 20211101 Trojan Source Attacks",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6"
          },
          {
            "name": "VU#999008",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/999008"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.scyon.nl/post/trojans-in-your-source-code"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.unicode.org/reports/tr36/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.unicode.org/reports/tr39/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cwe.mitre.org/data/definitions/1007.html"
          },
          {
            "name": "GLSA-202210-09",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202210-09"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-16T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "http://www.unicode.org/versions/Unicode14.0.0/"
        },
        {
          "url": "https://trojansource.codes"
        },
        {
          "name": "[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1"
        },
        {
          "name": "[oss-security] 20211101 Trojan Source Attacks",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6"
        },
        {
          "name": "VU#999008",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.kb.cert.org/vuls/id/999008"
        },
        {
          "url": "https://www.scyon.nl/post/trojans-in-your-source-code"
        },
        {
          "url": "https://www.unicode.org/reports/tr36/"
        },
        {
          "url": "https://www.unicode.org/reports/tr39/"
        },
        {
          "url": "https://cwe.mitre.org/data/definitions/1007.html"
        },
        {
          "name": "GLSA-202210-09",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202210-09"
        }
      ],
      "tags": [
        "disputed"
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-42694",
    "datePublished": "2021-11-01T00:00:00",
    "dateReserved": "2021-10-18T00:00:00",
    "dateUpdated": "2024-10-29T13:41:17.179Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-42694\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-11-01T04:15:08.043\",\"lastModified\":\"2024-11-21T06:27:59.337\",\"vulnStatus\":\"Modified\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"disputed\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.\"},{\"lang\":\"es\",\"value\":\"** EN DISPUTA ** Se ha detectado un problema en las definiciones de caracteres de la especificaci\u00f3n Unicode hasta la versi\u00f3n 14.0. La especificaci\u00f3n permite que un adversario produzca identificadores de c\u00f3digo fuente, tales como nombres de funciones, utilizando homoglifos que son visualmente id\u00e9nticos a un identificador de destino. Los adversarios pueden aprovechar esto para inyectar c\u00f3digo a trav\u00e9s de definiciones de identificadores adversos en dependencias de software ascendente invocadas de forma enga\u00f1osa en software descendente. NOTA: el Consorcio Unicode ofrece el siguiente enfoque alternativo para presentar este problema. Se observa un problema en la naturaleza del texto internacional que puede afectar a las aplicaciones que implementan la compatibilidad con el est\u00e1ndar Unicode (todas las versiones). A menos que se mitigue, un adversario podr\u00eda producir identificadores de c\u00f3digo fuente utilizando caracteres homog\u00e9neos que son visualmente id\u00e9nticos pero distintos a un identificador de destino. De esta manera, un adversario podr\u00eda inyectar definiciones de identificadores adversos en el software de entrada que no son detectados por los revisores humanos y son invocados enga\u00f1osamente en el software de salida. El Consorcio Unicode ha documentado esta clase de vulnerabilidad de seguridad en su documento, Informe T\u00e9cnico de Unicode #36, Consideraciones de Seguridad de Unicode. El Consorcio Unicode tambi\u00e9n proporciona orientaci\u00f3n sobre las mitigaciones para esta clase de problemas en la Norma T\u00e9cnica de Unicode #39, Mecanismos de Seguridad de Unicode.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":6.0},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:P\",\"baseScore\":5.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"14.0.0\",\"matchCriteriaId\":\"FAB64729-AF3D-46C0-B3B9-1588B46C524A\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/6\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.unicode.org/versions/Unicode14.0.0/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://cwe.mitre.org/data/definitions/1007.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202210-09\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://trojansource.codes\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/999008\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.scyon.nl/post/trojans-in-your-source-code\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr36/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr39/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.unicode.org/versions/Unicode14.0.0/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://cwe.mitre.org/data/definitions/1007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202210-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://trojansource.codes\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/999008\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.scyon.nl/post/trojans-in-your-source-code\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr36/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr39/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.