CVE-2021-42574 (GCVE-0-2021-42574)
Vulnerability from cvelistv5
Published
2021-11-01 00:00
Modified
2024-08-04 03:38
Severity ?
CWE
  • n/a
Summary
An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.
References
cve@mitre.org http://www.openwall.com/lists/oss-security/2021/11/01/1 Exploit, Mailing List, Mitigation, Third Party Advisory
cve@mitre.org http://www.openwall.com/lists/oss-security/2021/11/01/4 Exploit, Mailing List, Third Party Advisory
cve@mitre.org http://www.openwall.com/lists/oss-security/2021/11/01/5 Mailing List, Third Party Advisory
cve@mitre.org http://www.openwall.com/lists/oss-security/2021/11/01/6 Mailing List, Third Party Advisory
cve@mitre.org http://www.openwall.com/lists/oss-security/2021/11/02/10 Mailing List
cve@mitre.org http://www.unicode.org/versions/Unicode14.0.0/ Release Notes, Vendor Advisory
cve@mitre.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/
cve@mitre.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/
cve@mitre.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/
cve@mitre.org https://security.gentoo.org/glsa/202210-09 Third Party Advisory
cve@mitre.org https://trojansource.codes Exploit, Technical Description, Third Party Advisory
cve@mitre.org https://www.kb.cert.org/vuls/id/999008 Third Party Advisory, US Government Resource
cve@mitre.org https://www.scyon.nl/post/trojans-in-your-source-code Exploit, Mitigation, Third Party Advisory
cve@mitre.org https://www.starwindsoftware.com/security/sw-20220804-0002/ Third Party Advisory
cve@mitre.org https://www.unicode.org/reports/tr31/ Technical Description, Vendor Advisory
cve@mitre.org https://www.unicode.org/reports/tr36/ Technical Description, Vendor Advisory
cve@mitre.org https://www.unicode.org/reports/tr39/ Technical Description, Vendor Advisory
cve@mitre.org https://www.unicode.org/reports/tr9/tr9-44.html#HL4 Technical Description, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2021/11/01/1 Exploit, Mailing List, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2021/11/01/4 Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2021/11/01/5 Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2021/11/01/6 Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2021/11/02/10 Mailing List
af854a3a-2127-422b-91ae-364da2661108 http://www.unicode.org/versions/Unicode14.0.0/ Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/
af854a3a-2127-422b-91ae-364da2661108 https://security.gentoo.org/glsa/202210-09 Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://trojansource.codes Exploit, Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://www.kb.cert.org/vuls/id/999008 Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108 https://www.scyon.nl/post/trojans-in-your-source-code Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://www.starwindsoftware.com/security/sw-20220804-0002/ Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://www.unicode.org/reports/tr31/ Technical Description, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 https://www.unicode.org/reports/tr36/ Technical Description, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 https://www.unicode.org/reports/tr39/ Technical Description, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 https://www.unicode.org/reports/tr9/tr9-44.html#HL4 Technical Description, Vendor Advisory
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-42574",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-11T15:16:49.504878Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-11T15:17:01.399Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:38:49.283Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.unicode.org/versions/Unicode14.0.0/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://trojansource.codes"
          },
          {
            "name": "[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1"
          },
          {
            "name": "[oss-security] 20211101 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/4"
          },
          {
            "name": "[oss-security] 20211101 Trojan Source Attacks",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6"
          },
          {
            "name": "[oss-security] 20211102 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/5"
          },
          {
            "name": "[oss-security] 20211102 Re: Trojan Source Attacks",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/02/10"
          },
          {
            "name": "FEDORA-2021-0578e23912",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/"
          },
          {
            "name": "FEDORA-2021-7ad3a01f6a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/"
          },
          {
            "name": "VU#999008",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/999008"
          },
          {
            "name": "FEDORA-2021-443139f67c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.scyon.nl/post/trojans-in-your-source-code"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.unicode.org/reports/tr36/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.unicode.org/reports/tr39/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.unicode.org/reports/tr31/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.unicode.org/reports/tr9/tr9-44.html#HL4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.starwindsoftware.com/security/sw-20220804-0002/"
          },
          {
            "name": "GLSA-202210-09",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202210-09"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-16T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "http://www.unicode.org/versions/Unicode14.0.0/"
        },
        {
          "url": "https://trojansource.codes"
        },
        {
          "name": "[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1"
        },
        {
          "name": "[oss-security] 20211101 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/01/4"
        },
        {
          "name": "[oss-security] 20211101 Trojan Source Attacks",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6"
        },
        {
          "name": "[oss-security] 20211102 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/01/5"
        },
        {
          "name": "[oss-security] 20211102 Re: Trojan Source Attacks",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/02/10"
        },
        {
          "name": "FEDORA-2021-0578e23912",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/"
        },
        {
          "name": "FEDORA-2021-7ad3a01f6a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/"
        },
        {
          "name": "VU#999008",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.kb.cert.org/vuls/id/999008"
        },
        {
          "name": "FEDORA-2021-443139f67c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/"
        },
        {
          "url": "https://www.scyon.nl/post/trojans-in-your-source-code"
        },
        {
          "url": "https://www.unicode.org/reports/tr36/"
        },
        {
          "url": "https://www.unicode.org/reports/tr39/"
        },
        {
          "url": "https://www.unicode.org/reports/tr31/"
        },
        {
          "url": "https://www.unicode.org/reports/tr9/tr9-44.html#HL4"
        },
        {
          "url": "https://www.starwindsoftware.com/security/sw-20220804-0002/"
        },
        {
          "name": "GLSA-202210-09",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202210-09"
        }
      ],
      "tags": [
        "disputed"
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-42574",
    "datePublished": "2021-11-01T00:00:00",
    "dateReserved": "2021-10-18T00:00:00",
    "dateUpdated": "2024-08-04T03:38:49.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-42574\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-11-01T04:15:07.970\",\"lastModified\":\"2024-11-21T06:27:50.130\",\"vulnStatus\":\"Modified\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"disputed\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.\"},{\"lang\":\"es\",\"value\":\"** EN DISPUTA** Se ha detectado un problema en el algoritmo bidireccional de la especificaci\u00f3n Unicode hasta la versi\u00f3n 14.0. Permite la reordenaci\u00f3n visual de los caracteres a trav\u00e9s de secuencias de control, lo que puede ser utilizado para crear c\u00f3digo fuente que se traduce en una l\u00f3gica diferente a la ordenaci\u00f3n l\u00f3gica de los tokens ingeridos por los compiladores e int\u00e9rpretes. Los adversarios pueden aprovechar esto para codificar el c\u00f3digo fuente de los compiladores que aceptan Unicode, de manera que las vulnerabilidades objetivo se introduzcan de forma invisible para los revisores humanos. NOTA: el Consorcio Unicode ofrece el siguiente enfoque alternativo para presentar esta preocupaci\u00f3n. Se observa un problema en la naturaleza del texto internacional que puede afectar a las aplicaciones que implementan la compatibilidad con el est\u00e1ndar Unicode y el algoritmo bidireccional Unicode (todas las versiones). Debido al comportamiento de la visualizaci\u00f3n del texto cuando \u00e9ste incluye caracteres de izquierda a derecha y de derecha a izquierda, el orden visual de los tokens puede ser diferente de su orden l\u00f3gico. Adem\u00e1s, los caracteres de control necesarios para cumplir los requisitos del texto bidireccional pueden ofuscar a\u00fan m\u00e1s el orden l\u00f3gico de las fichas. A menos que se mitigue, un adversario podr\u00eda elaborar el c\u00f3digo fuente de tal manera que el orden de los tokens percibido por los revisores humanos no coincida con el que ser\u00e1 procesado por un compilador/interpretador/etc. El Consorcio Unicode ha documentado esta clase de vulnerabilidad en su documento, Informe T\u00e9cnico de Unicode #36, Consideraciones de Seguridad de Unicode. El Consorcio Unicode tambi\u00e9n proporciona orientaci\u00f3n sobre las mitigaciones para esta clase de problemas en la Norma T\u00e9cnica de Unicode #39, Mecanismos de Seguridad de Unicode, y en el Anexo de la Norma de Unicode #31, Identificador de Unicode y Sintaxis de Patrones. Adem\u00e1s, la especificaci\u00f3n BIDI permite a las aplicaciones adaptar la implementaci\u00f3n de manera que pueda mitigar la reordenaci\u00f3n visual enga\u00f1osa en el texto del programa; v\u00e9ase HL4 en el Anexo #9 del Est\u00e1ndar Unicode, Algoritmo Bidireccional Unicode.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:P\",\"baseScore\":5.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"14.0.0\",\"matchCriteriaId\":\"FAB64729-AF3D-46C0-B3B9-1588B46C524A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8r13:14398:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE49F316-C502-4D7A-AA70-D7745AEDAA93\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/4\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/5\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/6\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/02/10\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://www.unicode.org/versions/Unicode14.0.0/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.gentoo.org/glsa/202210-09\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://trojansource.codes\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/999008\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.scyon.nl/post/trojans-in-your-source-code\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://www.starwindsoftware.com/security/sw-20220804-0002/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr31/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr36/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr39/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr9/tr9-44.html#HL4\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/01/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/02/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://www.unicode.org/versions/Unicode14.0.0/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202210-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://trojansource.codes\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/999008\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.scyon.nl/post/trojans-in-your-source-code\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://www.starwindsoftware.com/security/sw-20220804-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr31/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr36/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr39/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://www.unicode.org/reports/tr9/tr9-44.html#HL4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.unicode.org/versions/Unicode14.0.0/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://trojansource.codes\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/1\", \"name\": \"[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/4\", \"name\": \"[oss-security] 20211101 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/6\", \"name\": \"[oss-security] 20211101 Trojan Source Attacks\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/5\", \"name\": \"[oss-security] 20211102 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/02/10\", \"name\": \"[oss-security] 20211102 Re: Trojan Source Attacks\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/\", \"name\": \"FEDORA-2021-0578e23912\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/\", \"name\": \"FEDORA-2021-7ad3a01f6a\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://www.kb.cert.org/vuls/id/999008\", \"name\": \"VU#999008\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/\", \"name\": \"FEDORA-2021-443139f67c\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://www.scyon.nl/post/trojans-in-your-source-code\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.unicode.org/reports/tr36/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.unicode.org/reports/tr39/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.unicode.org/reports/tr31/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.unicode.org/reports/tr9/tr9-44.html#HL4\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.starwindsoftware.com/security/sw-20220804-0002/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202210-09\", \"name\": \"GLSA-202210-09\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T03:38:49.283Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-42574\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-11T15:16:49.504878Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-11T15:16:54.431Z\"}}], \"cna\": {\"tags\": [\"disputed\"], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"http://www.unicode.org/versions/Unicode14.0.0/\"}, {\"url\": \"https://trojansource.codes\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/1\", \"name\": \"[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/4\", \"name\": \"[oss-security] 20211101 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/6\", \"name\": \"[oss-security] 20211101 Trojan Source Attacks\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/5\", \"name\": \"[oss-security] 20211102 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/02/10\", \"name\": \"[oss-security] 20211102 Re: Trojan Source Attacks\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/\", \"name\": \"FEDORA-2021-0578e23912\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/\", \"name\": \"FEDORA-2021-7ad3a01f6a\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.kb.cert.org/vuls/id/999008\", \"name\": \"VU#999008\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/\", \"name\": \"FEDORA-2021-443139f67c\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.scyon.nl/post/trojans-in-your-source-code\"}, {\"url\": \"https://www.unicode.org/reports/tr36/\"}, {\"url\": \"https://www.unicode.org/reports/tr39/\"}, {\"url\": \"https://www.unicode.org/reports/tr31/\"}, {\"url\": \"https://www.unicode.org/reports/tr9/tr9-44.html#HL4\"}, {\"url\": \"https://www.starwindsoftware.com/security/sw-20220804-0002/\"}, {\"url\": \"https://security.gentoo.org/glsa/202210-09\", \"name\": \"GLSA-202210-09\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2022-10-16T00:00:00\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-42574\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-04T03:38:49.283Z\", \"dateReserved\": \"2021-10-18T00:00:00\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2021-11-01T00:00:00\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.