CVE-2024-45411

Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
GitHub_MCNA
8.6 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
VendorProductVersion
symfonytwig
1.0.0 ≤
𝑥
< 1.44.8
symfonytwig
2.0.0 ≤
𝑥
< 2.16.1
symfonytwig
3.0.0 ≤
𝑥
< 3.14.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php-twig
bullseye
vulnerable
bullseye (security)
2.14.3-1+deb11u4
fixed
bookworm
3.5.1-1+deb12u1
fixed
bookworm (security)
3.5.1-1+deb12u1
fixed
sid
3.20.0-2
fixed
trixie
3.20.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php-twig
plucky
not-affected
oracular
needed
noble
Fixed 3.8.0-2ubuntu0.1~esm1
released
jammy
Fixed 3.3.8-2ubuntu4+esm2
released
focal
needs-triage
twig
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6
https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de
https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233
https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
https://lists.debian.org/debian-lts-announce/2024/09/msg00031.html