CVE-2022-39261

CWE-22 — Path Traversal9 documents7 sources

Severity

7.5HIGH

EPSS

9.5%

top 7.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Drupal Symfony Twig Drupal Core +4 more

Timeline

PublishedSep 28

Latest updateMar 13

Description

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such temp…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶Packagisttwig/twig1.0.0 — 1.44.7+2

▶NVDsymfony/twig1.0.0 — 1.44.7+2

▶Debianphp-twig< 2.14.3-1+deb11u2+3

▶CVEListV5twigphp/twig=> 1.0.0, < 1.44.7, >= 2.0.0, < 2.15.3, >= 3.0.0, < 3.4.3+2

▶Packagistdrupal/core8.0.0 — 9.3.22+1

Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36, 37

Patches

Patch: github.com ↗Patch: www.drupal.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Twig may load a template outside a configured directory when using the filesystem loader↗2022-09-30

▶

OSV

Twig may load a template outside a configured directory when using the filesystem loader↗2022-09-30

▶

OSV

CVE-2022-39261: Twig is a template language for PHP↗2022-09-28

▶

CVEList

Twig may load a template outside a configured directory when using the filesystem loader↗2022-09-28

▶

OSV

CVE-2022-39261: Drupal uses the [Twig](https://twig↗2022-09-28

▶

📋Vendor Advisories

Ubuntu

Twig vulnerabilities↗2023-03-13

▶

Drupal

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016↗2022-09-28

▶

Debian

CVE-2022-39261: php-twig - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to ...↗2022

▶