Published: 01/11/2021 Updated: 11/04/2024

CVSS v2 Base Score: 5.1 | Impact Score: 6.4 | Exploitability Score: 4.9

CVSS v3 Base Score: 8.3 | Impact Score: 6 | Exploitability Score: 1.6

VMScore: 458

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

An issue exists in the Bidirectional Algorithm in the Unicode Specification up to and including 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.

Vulnerable Product	Search on Vulmon	Subscribe to Product
unicode unicode
fedoraproject fedora 33
fedoraproject fedora 34
fedoraproject fedora 35
starwindsoftware starwind virtual san v8r13

A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text An attacker could exploit this to deceive a human reviewer by creating a malicious patch containing well placed BiDi characters The special handling and rendering of those characters can ...

Synopsis Moderate: Red Hat Advanced Cluster Security 368 security and enhancement update Type/Severity Security Advisory: Moderate Topic Updated images are now available for Red Hat Advanced Cluster Security forKubernetes (RHACS) The updated image includes a bug fixes, security patches and new feature enhancementsRed Hat Product Security h ...

Synopsis Moderate: Windows Container Support for Red Hat OpenShift 500 [security update] Type/Severity Security Advisory: Moderate Topic The components for Windows Container Support for Red Hat OpenShift 500 are now available This product release includes bug fixes and a moderate security update for the following packages: windows-machin ...

Synopsis Moderate: Gatekeeper Operator v02 security updates and bug fixes Type/Severity Security Advisory: Moderate Topic Gatekeeper Operator v02Red Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available f ...

Synopsis Important: Red Hat OpenShift GitOps security update Type/Severity Security Advisory: Important Topic An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now available for Red Hat OpenShift GitOps 12 (GitOps v122)Re ...

Synopsis Moderate: Release of OpenShift Serverless 1200 Type/Severity Security Advisory: Moderate Topic Release of OpenShift Serverless 1200Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available fo ...

Synopsis Moderate: Red Hat OpenShift distributed tracing 210 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat Openshit distributed tracing 21Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, ...

Synopsis Important: Release of containers for OSP 162 director operator tech preview Type/Severity Security Advisory: Important Topic Red Hat OpenStack Platform 162 (Train) director Operator containers areavailable for technology preview Description Release osp-director-operator imagesSecurity Fix(es): golang: net/http: limit growth of h ...

Synopsis Moderate: Red Hat Advanced Cluster Management 2211 security updates and bug fixes Type/Severity Security Advisory: Moderate Topic Red Hat Advanced Cluster Management for Kubernetes 2211 General Availability release images, which provide one or more container updates and bug fixesRed Hat Product Security has rated this update as ...

Synopsis Moderate: Migration Toolkit for Containers (MTC) 154 security update Type/Severity Security Advisory: Moderate Topic The Migration Toolkit for Containers (MTC) 154 is now availableRed Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System (CVSS) base score, whichg ...

Synopsis Important: Red Hat Advanced Cluster Management 236 security updates and bug fixes Type/Severity Security Advisory: Important Topic Red Hat Advanced Cluster Management for Kubernetes 236 General Availabilityrelease images, which provide security updates and bug fixes Description Red Hat Advanced Cluster Management for Kubernete ...

Synopsis Important: Red Hat Advanced Cluster Management 242 security updates and bug fixes Type/Severity Security Advisory: Important Topic Red Hat Advanced Cluster Management for Kubernetes 242 General Availabilityrelease images This update provides security fixes, fixes bugs, and updates the container imagesRed Hat Product Security ha ...

An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 140 It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters Adversaries can leverage this to encod ...

ALAS-2022-222 Amazon Linux 2022 Security Advisory: ALAS-2022-222 Advisory Release Date: 2022-12-06 16:42 Pacific ...

oss-sec mailing list archives   By Date By Thread </form>    Re: CVE-2021-42574: rustc 1560 and bidirectional-override codepoints in source code  <!--X-Head-o ...

oss-sec mailing list archives   By Date By Thread </form>    Re: Trojan Source Attacks   From: Stuart D Gathman <stuart () gathman ...

oss-sec mailing list archives   By Date By Thread </form>    Trojan Source Attacks   From: Nicholas Boucher <nicholasboucher () cl ...

POC of CVE-2021-42574 for solidity and solc compiler

solidity_CVE-2021-42574-POC Jan 31 2023, Altin (tin-z), githubcom/tin-z PoC POC of CVE-2021-42574 for solidity and solc compiler install # solc and select 0817 version (githubcom/crytic/solc-select) # foundry (githubcom/foundry-rs/foundry) deploy contract SOLV=0817 folder_t=test_open mkdir $folder_t &amp

Generate malicious files using recently published bidi-attack (CVE-2021-42574)

CVE-2021-42574 - Code generator // Update: 05112021 It's now possible to not only encode, but also decode files Means that now files containing supported bidi chars can be translated to template files with bidi placeholders (LRO, ) Generate malicious files using recently published bidi-attack vulnerability, which was discovered in Unicode Specification and affects

Generate malicious files using recently published bidi-attack (CVE-2021-42574)

CVE-2021-42574_and_CVE-2021-42694

A GitHub Action to find Unicode control characters using the Red Hat diagnostic tool https://access.redhat.com/security/vulnerabilities/RHSB-2021-007 to detect RHSB-2021-007 Trojan source attacks (CVE-2021-42574,CVE-2021-42694)

Unicode Control Characters Action A GitHub Action to find Unicode control characters using the Red Hat diagnostic tool accessredhatcom/security/vulnerabilities/RHSB-2021-007 to detect RHSB-2021-007 Trojan source attacks (CVE-2021-42574,CVE-2021-42694) Inputs args Required The script arguments documented in src/READMEtxt Example usage name: Tests on: push: bra

记录我的2021年

AD 2021 记录下我的2021年。(Inspired by yihong) Github 收藏的博客序号博客备注 1 jimmysongio 云原生技术学习 2 githubcom/Maskhe/javasec Java 安全学习 3 土豆不好吃好多有趣的东西，极客风 4 safe6 safe6 师傅，web安全，安卓逆向 5 phith0n p牛！ 6 whoami whoami, web， ctfer 7 素18 su18 8 4ra1n

Checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574

BIDI Character Detector This tool checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks to mitigate CVE-2021-42574 This tool was written in Rust and is distributed as a small (< 3MB) docker compatible container to allow fast and easy usage For an explanation of the attack, have a look at GitHub's blog entry or the

Trojan Source Exprimenting with CVE-2021-42574

Trojan Source:Invisible Vulnerabilities - (Code generator) — بكل بساطة اختصارا الثغرة عبارة عن ان الكود يكون شكله غير عن يوم تجميعه (: حيث يتمثل الهجوم في استخدام أحرف التحكم المضمنة في التعليقات والسلاسل لإعادة ترتيب أحرف التعليمات

Unicode Comb Recursively scan all files in a directory for insecure Unicode characters Background Re: "bidirectional override" trojansourcecodes/ cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-42574 blogrust-langorg/2021/11/01/cve-2021-42574html Re: "HANGUL FILLER" certitudeconsulting/blog/en/invisible-backdoor/ Unsafe

Provides custom lint rules developed by Bottle Rocket Studios to help keep our code cleaner, detect and mitigate possible security issues, and allow us to write rules around best practices and usage as necessary in the future

CustomLintRules What this library does? This library currently provides the following lint rules that detect unsupported characters in source and xml files: TrojanSourceDetector - covers Java and Kotlin files TrojanXmlDetector - covers XML resource and Android manifest files A fatal lint error will be reported if any unicode (or unsupported ascii) characters are detected Onl

Trojan Source Maven Plugin

Trojan Source Maven Plugin This Maven plugin scans your source code for occurrences of trojan source as described on the following page: trojansourcecodes Trojan source attacks use unicode control characters to make evil source code look valid by reordering parts of it For a deeper explanation have a look on the above-mentioned page or even read the paper of Nicholas

Bittide aegir simulator

ægir ægir (Old Norse 'sea') is a multi-level bittide functional simulator ægir functionality includes: defining distributed applications using a simple DSL to construct pipelines of repeatable tasks that follow a synchronous dataflow programming model; purely functional simulation of above distributed applications; functional simulation of distrib

Trojan Source attack: Code that says one thing to humans tells your compiler something very different, warn academics

The Register • Gareth Corfield • 01 Nov 2021

Get our weekly newsletter Bi-directional character attack – simple and nightmarish

The way Unicode's UTF-8 text encoding handles different languages could be misused to write malicious code that says one thing to humans and another to compilers, academics are warning. "What if it were possible to trick compilers into emitting binaries that did not match the logic visible in source code?" ask Cambridge student Nicholas Boucher and Professor Ross Anderson in a paper published today. They say it is possible, and outlined a new threat [PDF] that could be deployed by future supply ...

CVE-2021-42574

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect