CVE-2021-42694

HIGH
Published Nov 1, 20214y ago · Modified Jun 17, 20262w ago
8.3 CVSS 3.1
High
Find Similar
Published Nov 1, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.

CVSS Details

Base Score
8.3
Exploitability
1.6
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 1

VendorProductVersionRange
unicodeunicode* <14.0.0

References 10

  • openwall.com http://www.openwall.com/lists/oss-security/2021/11/01/1
    Mailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/11/01/6
    Mailing ListThird Party Advisory
  • unicode.org http://www.unicode.org/versions/Unicode14.0.0/
    Release NotesVendor Advisory
  • cwe.mitre.org https://cwe.mitre.org/data/definitions/1007.html
    Third Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202210-09
    Third Party Advisory
  • trojansource.codes https://trojansource.codes
    Third Party Advisory
  • kb.cert.org https://www.kb.cert.org/vuls/id/999008
    Third Party AdvisoryUS Government Resource
  • scyon.nl https://www.scyon.nl/post/trojans-in-your-source-code
    ExploitThird Party Advisory
  • unicode.org https://www.unicode.org/reports/tr36/
    Technical DescriptionVendor Advisory
  • unicode.org https://www.unicode.org/reports/tr39/
    Technical DescriptionVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.