Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

CVE-2021-42574 - Unicode bidirectional override character trojan source attack

Sasi Venugopal
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 8, 2021

is the severity based on the assumption that the service is accessible over the internet?

 

1 answer

1 vote
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 8, 2021

Hi @Sasi Venugopal , welcome to the Community!

For this particular vulnerability, the severity is not based on an assumption of network access. Due to the way the unicode bidirectional characters are handled in various systems, including Jira before the patch, it would be possible for someone to trick a user into copying malicious code into a system.

Consider this scenario:

  1. A developer copies a piece of code from a blog or some other third-party source to their clipboard
  2. The developer pastes the code snippet into a Jira issue, behind a firewall
  3. The code snippet from Jira is included in a source file for an application the company is developing

In this short example, hidden characters could be included in the source even though Jira is behind a firewall. The fix changes the way Jira renders these characters so that they become visible.

Does this help answer your question?

Thanks,
Daniel | Atlassian Community

Suggest an answer

Log in or Sign up to answer