{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-42694", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T03:38:50.055Z", "dateReserved": "2021-10-18T00:00:00", "datePublished": "2021-11-01T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-10-16T00:00:00"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms."}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://www.unicode.org/versions/Unicode14.0.0/"}, {"url": "https://trojansource.codes"}, {"name": "[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1"}, {"name": "[oss-security] 20211101 Trojan Source Attacks", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6"}, {"name": "VU#999008", "tags": ["third-party-advisory"], "url": "https://www.kb.cert.org/vuls/id/999008"}, {"url": "https://www.scyon.nl/post/trojans-in-your-source-code"}, {"url": "https://www.unicode.org/reports/tr36/"}, {"url": "https://www.unicode.org/reports/tr39/"}, {"url": "https://cwe.mitre.org/data/definitions/1007.html"}, {"name": "GLSA-202210-09", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-09"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1007", "lang": "en", "description": "CWE-1007 Insufficient Visual Distinction of Homoglyphs Presented to User"}]}], "affected": [{"vendor": "unicode", "product": "unicode", "cpes": ["cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "14.0.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-18T17:31:01.226978Z", "id": "CVE-2021-42694", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-18T17:36:59.778Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:38:50.055Z"}, "title": "CVE Program Container", "references": [{"url": "http://www.unicode.org/versions/Unicode14.0.0/", "tags": ["x_transferred"]}, {"url": "https://trojansource.codes", "tags": ["x_transferred"]}, {"name": "[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1"}, {"name": "[oss-security] 20211101 Trojan Source Attacks", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6"}, {"name": "VU#999008", "tags": ["third-party-advisory", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/999008"}, {"url": "https://www.scyon.nl/post/trojans-in-your-source-code", "tags": ["x_transferred"]}, {"url": "https://www.unicode.org/reports/tr36/", "tags": ["x_transferred"]}, {"url": "https://www.unicode.org/reports/tr39/", "tags": ["x_transferred"]}, {"url": "https://cwe.mitre.org/data/definitions/1007.html", "tags": ["x_transferred"]}, {"name": "GLSA-202210-09", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-09"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.unicode.org/versions/Unicode14.0.0/", "tags": ["x_transferred"]}, {"url": "https://trojansource.codes", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/11/01/1", "name": "[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/11/01/6", "name": "[oss-security] 20211101 Trojan Source Attacks", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://www.kb.cert.org/vuls/id/999008", "name": "VU#999008", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://www.scyon.nl/post/trojans-in-your-source-code", "tags": ["x_transferred"]}, {"url": "https://www.unicode.org/reports/tr36/", "tags": ["x_transferred"]}, {"url": "https://www.unicode.org/reports/tr39/", "tags": ["x_transferred"]}, {"url": "https://cwe.mitre.org/data/definitions/1007.html", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202210-09", "name": "GLSA-202210-09", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:38:50.055Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-42694", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-18T17:31:01.226978Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*"], "vendor": "unicode", "product": "unicode", "versions": [{"status": "affected", "version": "0", "lessThan": "14.0.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1007", "description": "CWE-1007 Insufficient Visual Distinction of Homoglyphs Presented to User"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-18T17:36:54.824Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://www.unicode.org/versions/Unicode14.0.0/"}, {"url": "https://trojansource.codes"}, {"url": "http://www.openwall.com/lists/oss-security/2021/11/01/1", "name": "[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/11/01/6", "name": "[oss-security] 20211101 Trojan Source Attacks", "tags": ["mailing-list"]}, {"url": "https://www.kb.cert.org/vuls/id/999008", "name": "VU#999008", "tags": ["third-party-advisory"]}, {"url": "https://www.scyon.nl/post/trojans-in-your-source-code"}, {"url": "https://www.unicode.org/reports/tr36/"}, {"url": "https://www.unicode.org/reports/tr39/"}, {"url": "https://cwe.mitre.org/data/definitions/1007.html"}, {"url": "https://security.gentoo.org/glsa/202210-09", "name": "GLSA-202210-09", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-10-16T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2021-42694", "state": "PUBLISHED", "dateUpdated": "2024-08-04T03:38:50.055Z", "dateReserved": "2021-10-18T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2021-11-01T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*", "matchCriteriaId": "FAB64729-AF3D-46C0-B3B9-1588B46C524A", "versionEndExcluding": "14.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms."}, {"lang": "es", "value": "** EN DISPUTA ** Se ha detectado un problema en las definiciones de caracteres de la especificaci\u00f3n Unicode hasta la versi\u00f3n 14.0. La especificaci\u00f3n permite que un adversario produzca identificadores de c\u00f3digo fuente, tales como nombres de funciones, utilizando homoglifos que son visualmente id\u00e9nticos a un identificador de destino. Los adversarios pueden aprovechar esto para inyectar c\u00f3digo a trav\u00e9s de definiciones de identificadores adversos en dependencias de software ascendente invocadas de forma enga\u00f1osa en software descendente. NOTA: el Consorcio Unicode ofrece el siguiente enfoque alternativo para presentar este problema. Se observa un problema en la naturaleza del texto internacional que puede afectar a las aplicaciones que implementan la compatibilidad con el est\u00e1ndar Unicode (todas las versiones). A menos que se mitigue, un adversario podr\u00eda producir identificadores de c\u00f3digo fuente utilizando caracteres homog\u00e9neos que son visualmente id\u00e9nticos pero distintos a un identificador de destino. De esta manera, un adversario podr\u00eda inyectar definiciones de identificadores adversos en el software de entrada que no son detectados por los revisores humanos y son invocados enga\u00f1osamente en el software de salida. El Consorcio Unicode ha documentado esta clase de vulnerabilidad de seguridad en su documento, Informe T\u00e9cnico de Unicode #36, Consideraciones de Seguridad de Unicode. El Consorcio Unicode tambi\u00e9n proporciona orientaci\u00f3n sobre las mitigaciones para esta clase de problemas en la Norma T\u00e9cnica de Unicode #39, Mecanismos de Seguridad de Unicode."}], "id": "CVE-2021-42694", "lastModified": "2024-08-04T04:16:06.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-11-01T04:15:08.043", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.unicode.org/versions/Unicode14.0.0/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://cwe.mitre.org/data/definitions/1007.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-09"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://trojansource.codes"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/999008"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.scyon.nl/post/trojans-in-your-source-code"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Vendor Advisory"], "url": "https://www.unicode.org/reports/tr36/"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Vendor Advisory"], "url": "https://www.unicode.org/reports/tr39/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1007"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Nicholas Boucher and Ross Anderson (University of Cambridge) for reporting this issue.", "bugzilla": {"description": "environment: Homoglyph characters can lead to trojan source attack", "id": "2015365", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015365"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-838", "details": ["An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.", "A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. Homoglyphs are different Unicode characters that, to the naked eye, look the same. An attacker could use homoglyphs to deceive a human reviewer by creating a malicious patch containing functions that look similar to standard library functions, such as print, but replace one character with a homoglyph. This function can then be defined in an upstream dependency to launch source code-related attacks."], "name": "CVE-2021-42694", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2021-11-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-42694\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-42694\nhttps://trojansource.codes/\nhttps://www.lightbluetouchpaper.org/2021/11/01/trojan-source-invisible-vulnerabilities/\nhttps://www.unicode.org/reports/tr36/#Canonical_Represenation"], "statement": "This is a flaw with the way unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. It is not a flaw in Red Hat products.", "threat_severity": "Moderate"}