Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

CVE-2021-42574 - Unicode bidirectional override character trojan source attack

is the severity based on the assumption that the service is accessible over the internet?


1 answer

1 vote
Daniel Eads Atlassian Team Dec 08, 2021

Hi @Sasi Venugopal , welcome to the Community!

For this particular vulnerability, the severity is not based on an assumption of network access. Due to the way the unicode bidirectional characters are handled in various systems, including Jira before the patch, it would be possible for someone to trick a user into copying malicious code into a system.

Consider this scenario:

  1. A developer copies a piece of code from a blog or some other third-party source to their clipboard
  2. The developer pastes the code snippet into a Jira issue, behind a firewall
  3. The code snippet from Jira is included in a source file for an application the company is developing

In this short example, hidden characters could be included in the source even though Jira is behind a firewall. The fix changes the way Jira renders these characters so that they become visible.

Does this help answer your question?

Daniel | Atlassian Community

Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you