CVE-2021-42574 - Unrendered unicode bidirectional override characters in Cloud sites

A vulnerability (CVE-2021-42574 )has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.

Atlassian Cloud products have deployed a mitigation strategy which involves providing a visual representation of these special characters. A number of common places where code is displayed, such as in a pull request, code snippet, or code block, were updated to highlight Unicode bidirectional characters. In browser applications, a tooltip prompts users to take some time to understand what the characters are doing, and how the code will be interpreted when executed.

Here's an illustration of the mitigation.

In mobile apps and mobile web views, the characters are displayed and highlighted, without the tooltip.

The following products were affected and already have deployed a fix:

  • Bitbucket Cloud web

  • Confluence Cloud web

  • Confluence Cloud iOS and Android

  • Jira Cloud web

  • Jira Cloud iOS and Android

  • Jira Mac

  • Jira Service Management Cloud web

  • Jira Service Management Cloud iOS and Android

  • Jira Service Management Mac

  • Trello web

  • Trello iOS and Android

  • Trello Mac and Windows


Our product & support teams will be available for feedback, and to provide clarification if needed.

For details on how this issue affects server and Data Center products, see Multiple Products Security Advisory - Unrendered unicode bidirectional override characters - CVE-2021-42574




Last modified on Oct 29, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.