CVE-2021-42574
Public on 2021-11-01
Modified on 2023-01-18
Description
A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. An attacker could exploit this to deceive a human reviewer by creating a malicious patch containing well placed BiDi characters. The special handling and rendering of those characters can be then used in an attempt to hide unexpected and potentially dangerous behaviour from the reviewer.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | gcc | 2022-04-25 | ALAS2-2022-1784 | Fixed |
| Amazon Linux 2023 | gcc | 2023-02-17 | ALAS2023-2023-030 | Fixed |
| Amazon Linux 2 - Core | gcc10 | 2022-04-25 | ALAS2-2022-1784 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| NVD | CVSSv2 | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P |
| NVD | CVSSv3 | 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |