CVE-2022-39261

EUVD-2022-6700
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
symfonytwig
1.0.0 ≤
𝑥
< 1.44.7
symfonytwig
2.0.0 ≤
𝑥
< 2.15.3
symfonytwig
3.0.0 ≤
𝑥
< 3.4.3
drupaldrupal
8.0.0 ≤
𝑥
< 9.3.22
drupaldrupal
9.4.0 ≤
𝑥
< 9.4.7
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php-twig
bookworm
3.5.1-1
fixed
bookworm (security)
3.5.1-1+deb12u1
fixed
bullseye
2.14.3-1+deb11u2
fixed
bullseye (security)
2.14.3-1+deb11u3
fixed
sid
3.14.0-4
fixed
trixie
3.14.0-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php-twig
bionic
dne
focal
Fixed 2.12.5-1ubuntu0.1~esm1
released
jammy
Fixed 3.3.8-2ubuntu4+esm1
released
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
ignored
twig
bionic
Fixed 2.4.6-1ubuntu0.1~esm1
released
focal
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
Fixed 1.23.1-1ubuntu4+esm1
released
Common Weakness Enumeration
References
https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
https://www.debian.org/security/2022/dsa-5248
https://www.drupal.org/sa-core-2022-016
https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
https://www.debian.org/security/2022/dsa-5248
https://www.drupal.org/sa-core-2022-016