CVE-2021-42574 - Unrendered unicode bidirectional override characters in Cloud sites
A vulnerability (CVE-2021-42574 )has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.
Atlassian Cloud products have deployed a mitigation strategy which involves providing a visual representation of these special characters. A number of common places where code is displayed, such as in a pull request, code snippet, or code block, were updated to highlight Unicode bidirectional characters. In browser applications, a tooltip prompts users to take some time to understand what the characters are doing, and how the code will be interpreted when executed.
Here's an illustration of the mitigation.
In mobile apps and mobile web views, the characters are displayed and highlighted, without the tooltip.
The following products were affected and already have deployed a fix:
Bitbucket Cloud web
Confluence Cloud web
Confluence Cloud iOS and Android
Jira Cloud web
Jira Cloud iOS and Android
Jira Service Management Cloud web
Jira Service Management Cloud iOS and Android
Jira Service Management Mac
Trello iOS and Android
Trello Mac and Windows
Our product & support teams will be available for feedback, and to provide clarification if needed.
For details on how this issue affects server and Data Center products, see Multiple Products Security Advisory - Unrendered unicode bidirectional override characters - CVE-2021-42574