Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2022-39261

Published: 28/09/2022 Updated: 07/11/2023
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Twig

Vulnerability Summary

Twig is a template language for PHP. Versions 1.x before 1.44.7, 2.x before 2.15.3, and 3.x before 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

symfony twig

drupal drupal

fedoraproject fedora 35

fedoraproject fedora 36

fedoraproject fedora 37

debian debian linux 10.0

debian debian linux 11.0

Vendor Advisories

Debian CVElist Bug Report Logs: php-twig: CVE-2022-39261
Debian Bug report logs - #1020991 php-twig: CVE-2022-39261 Package: src:php-twig; Maintainer for src:php-twig is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 30 Sep 2022 07:45:01 UTC Severity: grave Tags: security, upstream Found ...
Debian Security Advisories: DSA-5248-1 php-twig -- security update
Marlon Starkloff discovered that twig, a template engine for PHP, did not correctly enforce sandboxing This would allow a malicious user to execute arbitrary code For the stable distribution (bullseye), this problem has been fixed in version 2143-1+deb11u2 We recommend that you upgrade your php-twig packages For the detailed security status o ...

Github Repositories

https://github.com/typomedia/inspector

Github Advisory Scanner

Symfony Inspector Command Clone git clone gitlabcom/typomedia/inspectorgit cd inspector/ composer install --no-dev Download inspectorphar Usage bin/inspector check [options] [--] [<name>] Arguments lockfile The path to the composerlock file [default: "c

References

CWE-22https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0bhttps://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33https://www.drupal.org/sa-core-2022-016https://www.debian.org/security/2022/dsa-5248https://lists.debian.org/debian-lts-announce/2022/10/msg00016.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020991https://nvd.nist.govhttps://github.com/typomedia/inspectorhttps://www.debian.org/security/2022/dsa-5248
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322administrator privilegesCVE-2024-1579hardcodedCVE-2023-20198CVE-2024-33587CVE-2024-33449CVE-2024-4308HTML injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook