Lucene search

GoogleCVELIST:CVE-2021-22567

HistoryJan 05, 2022 - 10:55 a.m.

CVE-2021-22567 Bidirectional Override in Dart SDK

2022-01-0510:55:11

CWE-284

Google

www.cve.org

cve-2021-22567

bidirectional override

dart sdk

unicode text

code review

nefarious code

program behavior

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

19.4%

JSON

Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be exploited to get nefarious code passed a code review by appearing benign. An attacker could embed a source that is invisible to a code reviewer that modifies the behavior of a program in unexpected ways.

CNA Affected

[
  {
    "product": "Dart SDK",
    "vendor": "Google LLC",
    "versions": [
      {
        "lessThan": "2.15.0-268.18.beta",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/dart-lang/sdk/blob/main/CHANGELOG.md

github.com/dart-lang/sdk/commit/52519ea8eb4780c468c4c2ed00e7c8046ccfed41