Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.3
CVSSv3

CVE-2021-42694

Published: 01/11/2021 Updated: 11/04/2024
CVSS v2 Base Score: 5.1 | Impact Score: 6.4 | Exploitability Score: 4.9
CVSS v3 Base Score: 8.3 | Impact Score: 6 | Exploitability Score: 1.6
VMScore: 455
Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P
Subscribe to Unicode

Vulnerability Summary

An issue exists in the character definitions of the Unicode Specification up to and including 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

unicode unicode

Vendor Advisories

Red Hat: CVE-2021-42694
A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text Homoglyphs are different Unicode characters that, to the naked eye, look the same An attacker could use homoglyphs to deceive a human reviewer by creating a malicious patch containing fu ...
Arch Linux Issues:
An issue was discovered in the character definitions of the Unicode Specification through 140 The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier Adversaries can leverage this to inject code via adversarial identifier definitions in ...

Mailing Lists

Full Disclosure: Trojan Source Attacks
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Trojan Source Attacks <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Nicholas Boucher &lt;nicholasboucher () cl ...

Github Repositories

https://github.com/simplylu/CVE-2021-42694

Generate malicious files using recently published homoglyphic-attack (CVE-2021-42694)

CVE-2021-42694 Generate malicious files using recently published homoglyph-attack vulnerability, which was discovered at least in C, C++, C#, Go, Python, Rust, JS, Cite from cvemitreorg An issue was discovered in the character definitions of the Unicode Specification through 140 The specification allows an adversary to produce source code identifiers such as function n

https://github.com/hffaust/CVE-2021-42574_and_CVE-2021-42694

CVE-2021-42574_and_CVE-2021-42694

https://github.com/pierDipi/unicode-control-characters-action

A GitHub Action to find Unicode control characters using the Red Hat diagnostic tool https://access.redhat.com/security/vulnerabilities/RHSB-2021-007 to detect RHSB-2021-007 Trojan source attacks (CVE-2021-42574,CVE-2021-42694)

Unicode Control Characters Action A GitHub Action to find Unicode control characters using the Red Hat diagnostic tool accessredhatcom/security/vulnerabilities/RHSB-2021-007 to detect RHSB-2021-007 Trojan source attacks (CVE-2021-42574,CVE-2021-42694) Inputs args Required The script arguments documented in src/READMEtxt Example usage name: Tests on: push: bra

https://github.com/js-on/CVE-2021-42694

Generate malicious files using recently published homoglyphic-attack (CVE-2021-42694)

CVE-2021-42694 Generate malicious files using recently published homoglyph-attack vulnerability, which was discovered at least in C, C++, C#, Go, Python, Rust, JS, Cite from cvemitreorg An issue was discovered in the character definitions of the Unicode Specification through 140 The specification allows an adversary to produce source code identifiers such as function n

References

NVD-CWE-Otherhttps://trojansource.codeshttp://www.unicode.org/versions/Unicode14.0.0/http://www.openwall.com/lists/oss-security/2021/11/01/1http://www.openwall.com/lists/oss-security/2021/11/01/6https://www.kb.cert.org/vuls/id/999008https://www.scyon.nl/post/trojans-in-your-source-codehttps://www.unicode.org/reports/tr36/https://cwe.mitre.org/data/definitions/1007.htmlhttps://www.unicode.org/reports/tr39/https://security.gentoo.org/glsa/202210-09https://nvd.nist.govhttps://github.com/simplylu/CVE-2021-42694https://access.redhat.com/security/cve/cve-2021-42694
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-2907hardcodedinjectCVE-2024-20359CVE-2024-2467CVE-2024-4077CVE-2024-22391cameraCVE-2024-20353
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook