{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T16:41:17.262","vulnerabilities":[{"cve":{"id":"CVE-2021-42574","sourceIdentifier":"cve@mitre.org","published":"2021-11-01T04:15:07.970","lastModified":"2024-11-21T06:27:50.130","vulnStatus":"Modified","cveTags":[{"sourceIdentifier":"cve@mitre.org","tags":["disputed"]}],"descriptions":[{"lang":"en","value":"An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm."},{"lang":"es","value":"** EN DISPUTA** Se ha detectado un problema en el algoritmo bidireccional de la especificación Unicode hasta la versión 14.0. Permite la reordenación visual de los caracteres a través de secuencias de control, lo que puede ser utilizado para crear código fuente que se traduce en una lógica diferente a la ordenación lógica de los tokens ingeridos por los compiladores e intérpretes. Los adversarios pueden aprovechar esto para codificar el código fuente de los compiladores que aceptan Unicode, de manera que las vulnerabilidades objetivo se introduzcan de forma invisible para los revisores humanos. NOTA: el Consorcio Unicode ofrece el siguiente enfoque alternativo para presentar esta preocupación. Se observa un problema en la naturaleza del texto internacional que puede afectar a las aplicaciones que implementan la compatibilidad con el estándar Unicode y el algoritmo bidireccional Unicode (todas las versiones). Debido al comportamiento de la visualización del texto cuando éste incluye caracteres de izquierda a derecha y de derecha a izquierda, el orden visual de los tokens puede ser diferente de su orden lógico. Además, los caracteres de control necesarios para cumplir los requisitos del texto bidireccional pueden ofuscar aún más el orden lógico de las fichas. A menos que se mitigue, un adversario podría elaborar el código fuente de tal manera que el orden de los tokens percibido por los revisores humanos no coincida con el que será procesado por un compilador/interpretador/etc. El Consorcio Unicode ha documentado esta clase de vulnerabilidad en su documento, Informe Técnico de Unicode #36, Consideraciones de Seguridad de Unicode. El Consorcio Unicode también proporciona orientación sobre las mitigaciones para esta clase de problemas en la Norma Técnica de Unicode #39, Mecanismos de Seguridad de Unicode, y en el Anexo de la Norma de Unicode #31, Identificador de Unicode y Sintaxis de Patrones. Además, la especificación BIDI permite a las aplicaciones adaptar la implementación de manera que pueda mitigar la reordenación visual engañosa en el texto del programa; véase HL4 en el Anexo #9 del Estándar Unicode, Algoritmo Bidireccional Unicode."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:P/I:P/A:P","baseScore":5.1,"accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":4.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*","versionEndExcluding":"14.0.0","matchCriteriaId":"FAB64729-AF3D-46C0-B3B9-1588B46C524A"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","matchCriteriaId":"E460AA51-FCDA-46B9-AE97-E6676AA5E194"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","matchCriteriaId":"A930E247-0B43-43CB-98FF-6CE7B8189835"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","matchCriteriaId":"80E516C0-98A4-4ADE-B69F-66A772E2BAAA"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8r13:14398:*:*:*:*:*:*","matchCriteriaId":"DE49F316-C502-4D7A-AA70-D7745AEDAA93"}]}]}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/1","source":"cve@mitre.org","tags":["Exploit","Mailing List","Mitigation","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/4","source":"cve@mitre.org","tags":["Exploit","Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/5","source":"cve@mitre.org","tags":["Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/6","source":"cve@mitre.org","tags":["Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2021/11/02/10","source":"cve@mitre.org","tags":["Mailing List"]},{"url":"http://www.unicode.org/versions/Unicode14.0.0/","source":"cve@mitre.org","tags":["Release Notes","Vendor Advisory"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/","source":"cve@mitre.org"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/","source":"cve@mitre.org"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/","source":"cve@mitre.org"},{"url":"https://security.gentoo.org/glsa/202210-09","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"https://trojansource.codes","source":"cve@mitre.org","tags":["Exploit","Technical Description","Third Party Advisory"]},{"url":"https://www.kb.cert.org/vuls/id/999008","source":"cve@mitre.org","tags":["Third Party Advisory","US Government Resource"]},{"url":"https://www.scyon.nl/post/trojans-in-your-source-code","source":"cve@mitre.org","tags":["Exploit","Mitigation","Third Party Advisory"]},{"url":"https://www.starwindsoftware.com/security/sw-20220804-0002/","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"https://www.unicode.org/reports/tr31/","source":"cve@mitre.org","tags":["Technical Description","Vendor Advisory"]},{"url":"https://www.unicode.org/reports/tr36/","source":"cve@mitre.org","tags":["Technical Description","Vendor Advisory"]},{"url":"https://www.unicode.org/reports/tr39/","source":"cve@mitre.org","tags":["Technical Description","Vendor Advisory"]},{"url":"https://www.unicode.org/reports/tr9/tr9-44.html#HL4","source":"cve@mitre.org","tags":["Technical Description","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mailing List","Mitigation","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/5","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2021/11/01/6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2021/11/02/10","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]},{"url":"http://www.unicode.org/versions/Unicode14.0.0/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Vendor Advisory"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://security.gentoo.org/glsa/202210-09","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://trojansource.codes","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Technical Description","Third Party Advisory"]},{"url":"https://www.kb.cert.org/vuls/id/999008","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"]},{"url":"https://www.scyon.nl/post/trojans-in-your-source-code","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mitigation","Third Party Advisory"]},{"url":"https://www.starwindsoftware.com/security/sw-20220804-0002/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://www.unicode.org/reports/tr31/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Technical Description","Vendor Advisory"]},{"url":"https://www.unicode.org/reports/tr36/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Technical Description","Vendor Advisory"]},{"url":"https://www.unicode.org/reports/tr39/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Technical Description","Vendor Advisory"]},{"url":"https://www.unicode.org/reports/tr9/tr9-44.html#HL4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Technical Description","Vendor Advisory"]}]}}]}