CVE-2022-23614
published 2022-02-04CVE-2022-23614: Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.28%
94.2th percentile
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | php-twig | < php-twig 3.3.8-1 (bookworm) | php-twig 3.3.8-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| symfony | twig | >= 2.0.0 < 2.14.11 | 2.14.11 |
| symfony | twig | >= 3.0.0 < 3.3.8 | 3.3.8 |
| twig | twig | >= 0 < 1.23.1-1ubuntu4+esm1 | 1.23.1-1ubuntu4+esm1 |
| twig | twig | >= 0 < 2.4.6-1ubuntu0.1~esm1 | 2.4.6-1ubuntu0.1~esm1 |
| twig | twig | >= 2.0.0 < 2.14.11 | 2.14.11 |
| twig | twig | >= 3.0.0 < 3.3.8 | 3.3.8 |
| twigphp | twig | — | — |
| twigphp | twig | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for Twig `sort` filter usage with a non-Closure `arrow` parameter in sandbox mode, which indicates attempted exploitation of arbitrary PHP function execution ↗
- →Audit Twig template inputs in sandbox mode for `sort` filter calls where the `arrow` argument is a non-Closure callable (e.g., a string referencing a PHP function), as this is the attack vector for arbitrary code injection ↗
- →NodeJS-based Twig implementations are NOT affected; focus detection efforts exclusively on PHP Twig deployments running in sandbox mode ↗
- ·The vulnerability only manifests when Twig is operating in sandbox mode; non-sandboxed deployments are not the intended protection boundary for this constraint ↗
- ·Fixed versions for Debian: twig >= 3.3.8-1 (bookworm/forky/sid/trixie) and >= 2.14.3-1+deb11u1 (bullseye); ensure deployed package versions meet these thresholds ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
php-twig, twig vulnerabilities
osv·2023-03-13·CVSS 3.7
CVE-2019-9942 [LOW] php-twig, twig vulnerabilities
php-twig, twig vulnerabilities
Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2019-9942)
Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)
Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacker could possibly use this issue to access unauthori
GHSA
Code injection in Twig
ghsa·2022-02-10
CVE-2022-23614 [HIGH] CWE-74 Code injection in Twig
Code injection in Twig
# Description
When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions.
# Resolution
We now disallow calling non Closure in the `sort` filter like we already did for some other filters.
# Credits
We would like to thank Marlon Starkloff for reporting the issue and Fabien Potencier for fixing the issue.
OSV
Code injection in Twig
osv·2022-02-10
CVE-2022-23614 [HIGH] Code injection in Twig
Code injection in Twig
# Description
When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions.
# Resolution
We now disallow calling non Closure in the `sort` filter like we already did for some other filters.
# Credits
We would like to thank Marlon Starkloff for reporting the issue and Fabien Potencier for fixing the issue.
OSV
CVE-2022-23614: Twig is an open source template language for PHP
osv·2022-02-04·CVSS 9.8
CVE-2022-23614 [CRITICAL] CVE-2022-23614: Twig is an open source template language for PHP
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.
Ubuntu
Twig vulnerabilities
vendor_ubuntu·2023-03-13·CVSS 3.7
CVE-2019-9942 [LOW] Twig vulnerabilities
Title: Twig vulnerabilities
Summary: Several security issues were fixed in Twig.
Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2019-9942)
Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)
Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacke
Red Hat
twig: Disallow non closures in `sort` filter when the sandbox mode is enabled
vendor_redhat·2022-02-05·CVSS 8.8
CVE-2022-23614 [HIGH] CWE-77 twig: Disallow non closures in `sort` filter when the sandbox mode is enabled
twig: Disallow non closures in `sort` filter when the sandbox mode is enabled
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.
Statement: Red Hat Codeready Workspaces is not affected by this vulnerability as it uses a NodeJS implementation of twig instead the twig PHP implementation, which is the affected implementation for this flaw.
Debian
CVE-2022-23614: php-twig - Twig is an open source template language for PHP. When in a sandbox mode, the `a...
vendor_debian·2022·CVSS 8.8
CVE-2022-23614 [HIGH] CVE-2022-23614: php-twig - Twig is an open source template language for PHP. When in a sandbox mode, the `a...
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.
Scope: local
bookworm: resolved (fixed in 3.3.8-1)
bullseye: resolved (fixed in 2.14.3-1+deb11u1)
forky: resolved (fixed in 3.3.8-1)
sid: resolved (fixed in 3.3.8-1)
trixie: resolved (fixed in 3.3.8-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2vhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/https://www.debian.org/security/2022/dsa-5107https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2vhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/https://www.debian.org/security/2022/dsa-5107
2022-02-04
Published