5.1
CVSSv2

CVE-2021-42694

Published: 01/11/2021 Updated: 29/11/2021
CVSS v2 Base Score: 5.1 | Impact Score: 6.4 | Exploitability Score: 4.9
CVSS v3 Base Score: 8.3 | Impact Score: 6 | Exploitability Score: 1.6
Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Summary

An issue exists in the character definitions of the Unicode Specification up to and including 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

unicode unicode

Vendor Advisories

A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text Homoglyphs are different Unicode characters that, to the naked eye, look the same An attacker could use homoglyphs to deceive a human reviewer by creating a malicious patch containing fu ...
An issue was discovered in the character definitions of the Unicode Specification through 140 The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier Adversaries can leverage this to inject code via adversarial identifier definitions in ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Rust Security Response WG was notified of a security concern affecting source code containing "bidirectional override" Unicode codepoints: in some cases the use of those codepoints could lead to the reviewed code being different than the compiled code This is a vulnerability in the Unicode spec ...

Github Repositories

CVE-2021-42694 Generate malicious files using recently published homoglyph-attack vulnerability, which was discovered at least in C, C++, C#, Go, Python, Rust, JS, Cite from cvemitreorg An issue was discovered in the character definitions of the Unicode Specification through 140 The specification allows an adversary to produce source code identifiers such as function n

CVE-2021-42574_and_CVE-2021-42694

Unicode Control Characters Action A GitHub Action to find Unicode control characters using the Red Hat diagnostic tool accessredhatcom/security/vulnerabilities/RHSB-2021-007 to detect RHSB-2021-007 Trojan source attacks (CVE-2021-42574,CVE-2021-42694) Inputs args Required The script arguments documented in src/READMEtxt Example usage name: Tests on: push: bra

Recent Articles

‘Trojan Source’ Hides Invisible Bugs in Source Code
Threatpost • Lisa Vaas • 01 Nov 2021

Researchers have found a new way to encode potentially evil source code, such that human reviewers see a harmless version and compilers see the invisible, wicked version.
Named “Trojan Source attacks,” the method “exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers,” C...