Nicholas Boucher

**Name of the Vulnerable Software and Affected Versions** Unicode Specification versions prior to 14.0 Jira Service Management (affected versions not specified) Jira Software (affected versions not specified) Jira Work Management (affected versions not specified) **Description** The issue is related to the Bidirectional Algorithm in the Unicode Specification, which can be exploited to introduce targeted vulnerabilities invisibly to human reviewers. This is achieved by crafting source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. The Unicode Consortium has documented this class of vulnerability and provides guidance on mitigations. The vulnerability can affect applications that implement support for the Unicode Standard and the Unicode Bidirectional Algorithm. It is also known as the Trojan Source attack, which allows an adversary to encode source code for compilers accepting Unicode, introducing vulnerabilities that are not visible to human reviewers. **Recommendations** For Unicode Specification versions prior to 14.0: Consider implementing the guidance on mitigations provided by the Unicode Consortium in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. For Jira Service Management, Jira Software, and Jira Work Management: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Unicode Specification versions through 14.0 **Description** An issue was discovered in the character definitions of the Unicode Specification. The specification allows an adversary to produce source code identifiers, such as function names, using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. This issue can affect applications that implement support for The Unicode Standard, allowing an adversary to produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. **Recommendations** For Unicode Specification versions through 14.0, consider implementing the mitigations provided in Unicode Technical Standard #39, Unicode Security Mechanisms, to address the issue of homoglyph characters being used to inject adversarial identifier definitions. As a temporary workaround, developers can review their code to detect and prevent the use of homoglyph characters in source code identifiers. Additionally, restricting the use of international text that can be affected by this issue may help minimize the risk of exploitation until a more permanent solution is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.