A vulnerability has been identified where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.
Several popular development tools were found to be vulnerable to bidirectional character based trojan source attack, where bidirectional override control characters affecting the display order of text can be embedded in source code, making it appear different to users than to compilers.
For example, when you copy and paste a code snippet with bidirectional override characters to a vulnerable code editor/block, unicode characters that change the order of the text are not displayed. Many websites and online editors don’t render these special characters, so a developer could unintentionally introduce an attacker’s code into their own codebase by copying and pasting a code snippet from another vulnerable website, without realizing it. More info on Bidi unicodes security considerations can be found in the Unicode standard.
An illustration of bidirectional character in code:
Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own app and IT environment.
Fixed versions of impacted Atlassian Cloud, Server, and Data Center products have been released to mitigate this vulnerability. A security advisory is published as a general guidance to customers about our impacted products.
- Multiple Products Security Advisory - Unrendered unicode bidirectional override characters - CVE-2021-42574
- CVE-2021-42574 - Unrendered unicode bidirectional override characters in Cloud sites
@atlaskit/code are also affected by CVE-2021-42574. Apps that make use of these components are also potentially vulnerable to bidirectional character based trojan source attack.
Patches for these Atlaskit packages have been released to provide a visual representation of bidirectional unicodes. App developers who resolve these Atlaskit packages into their codebase are recommended to upgrade to the following patched versions:
However, If your app does not use Atlaskit but makes use of an embedded code editor or a script console that does not visualize bidirectional unicode characters, then your app may be likely vulnerable.
Upgrading to patched versions of 3rd party code visualizing components or using an alternative library that highlights unicode characters are possible solutions to mitigate the potential risk from this vulnerability.
If you have any questions or concerns, please reply to this thread or raise a support request at https://support.atlassian.com/.