CVE-2022-39261
published 2022-09-28CVE-2022-39261: Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.49%
70.8th percentile
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php-twig | < php-twig 3.4.3-1 (bookworm) | php-twig 3.4.3-1 (bookworm) |
| drupal | core | >= 8.0.0 < 9.3.22 | 9.3.22 |
| drupal | core | >= 9.4.0 < 9.4.7 | 9.4.7 |
| drupal | drupal | >= 8.0.0 < 9.3.22 | 9.3.22 |
| drupal | drupal | >= 9.4.0 < 9.4.7 | 9.4.7 |
| drupal | drupal_core | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| symfony | twig | >= 1.0.0 < 1.44.7 | 1.44.7 |
| symfony | twig | >= 2.0.0 < 2.15.3 | 2.15.3 |
| symfony | twig | >= 3.0.0 < 3.4.3 | 3.4.3 |
| twig | twig | >= 0 < 1.23.1-1ubuntu4+esm1 | 1.23.1-1ubuntu4+esm1 |
| twig | twig | >= 0 < 2.4.6-1ubuntu0.1~esm1 | 2.4.6-1ubuntu0.1~esm1 |
| twig | twig | >= 1.0.0 < 1.44.7 | 1.44.7 |
| twig | twig | >= 2.0.0 < 2.15.3 | 2.15.3 |
| twig | twig | >= 3.0.0 < 3.4.3 | 3.4.3 |
| twigphp | twig | — | — |
| twigphp | twig | — | — |
| twigphp | twig | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
php-twig, twig vulnerabilities
osv·2023-03-13·CVSS 3.7
CVE-2019-9942 [LOW] php-twig, twig vulnerabilities
php-twig, twig vulnerabilities
Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2019-9942)
Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)
Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacker could possibly use this issue to access unauthori
GHSA
Twig may load a template outside a configured directory when using the filesystem loader
ghsa·2022-09-30
CVE-2022-39261 [HIGH] CWE-22 Twig may load a template outside a configured directory when using the filesystem loader
Twig may load a template outside a configured directory when using the filesystem loader
# Description
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed).
# Resolution
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
# Credits
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
OSV
Twig may load a template outside a configured directory when using the filesystem loader
osv·2022-09-30
CVE-2022-39261 [HIGH] Twig may load a template outside a configured directory when using the filesystem loader
Twig may load a template outside a configured directory when using the filesystem loader
# Description
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed).
# Resolution
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
# Credits
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
OSV
CVE-2022-39261: Twig is a template language for PHP
osv·2022-09-28·CVSS 7.5
CVE-2022-39261 [HIGH] CVE-2022-39261: Twig is a template language for PHP
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
OSV
CVE-2022-39261: Drupal uses the [Twig](https://twig
osv·2022-09-28
CVE-2022-39261 CVE-2022-39261: Drupal uses the [Twig](https://twig
Drupal uses the [Twig](https://twig.symfony.com/) third-party library for content templating and sanitization. [Twig has released a security update](https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader) that affects Drupal. Twig has rated the vulnerability as high severity.
Drupal core's code extending Twig has also been updated to mitigate a related vulnerability.
Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.
The vulnerability is mitigated by the fact that an exploit is only possible in Drupal core with a restricted access adm
Ubuntu
Twig vulnerabilities
vendor_ubuntu·2023-03-13·CVSS 3.7
CVE-2019-9942 [LOW] Twig vulnerabilities
Title: Twig vulnerabilities
Summary: Several security issues were fixed in Twig.
Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2019-9942)
Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)
Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacke
Drupal
Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016
vendor_drupal·2022-09-28
CVE-2022-39261 [HIGH] Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016
Title: Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016
Vulnerability Type: Multiple vulnerabilities
Description: Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity. Drupal core's code extending Twig has also been updated to mitigate a related vulnerability. Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials. The vulnerability is mitigated by the fact that an exploit is only possible in Drupal core with a restricted access administrative permission. Additional exploi
Debian
CVE-2022-39261: php-twig - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to ...
vendor_debian·2022·CVSS 7.5
CVE-2022-39261 [HIGH] CVE-2022-39261: php-twig - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to ...
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Scope: local
bookworm: resolved (fixed in 3.4.3-1)
bullseye: resolved (fixed in 2.14.3-1+deb11u2)
forky: resolved (fixed in 3.4.3-1)
sid: resolved (fixed in 3.4.3-1)
trixie: resolved (fixed in 3.4.3-1)
No detection rules found.
No public exploits indexed.
https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0bhttps://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33https://lists.debian.org/debian-lts-announce/2022/10/msg00016.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/https://www.debian.org/security/2022/dsa-5248https://www.drupal.org/sa-core-2022-016https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0bhttps://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33https://lists.debian.org/debian-lts-announce/2022/10/msg00016.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/https://www.debian.org/security/2022/dsa-5248https://www.drupal.org/sa-core-2022-016
2022-09-28
Published