CVE-2022-39261

2022-09-2814:15:10

CWE-22

[email protected]

web.nvd.nist.gov

103

cve-2022-39261

twig

php

template language

filesystem loader

security vulnerability

arbitrary file read

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.2%

JSON

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outside the templates’ directory when using a namespace like @somewhere/../some.file. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Affected configurations

Vulners

NVD

Node

twigphptwigMatch1.0.0

twigphptwigRange2.0.0–2.15.3

twigphptwigRange3.0.0–3.4.3

CPENameOperatorVersion
symfony:twigsymfony twiglt1.44.7
symfony:twigsymfony twiglt2.15.3
symfony:twigsymfony twiglt3.4.3

CPE	Name	Operator	Version
symfony:twig	symfony twig	lt	1.44.7
symfony:twig	symfony twig	lt	2.15.3
symfony:twig	symfony twig	lt	3.4.3

CNA Affected

[
  {
    "vendor": "twigphp",
    "product": "Twig",
    "versions": [
      {
        "version": "=> 1.0.0, < 1.44.7",
        "status": "affected"
      },
      {
        "version": ">= 2.0.0, < 2.15.3",
        "status": "affected"
      },
      {
        "version": ">= 3.0.0, < 3.4.3",
        "status": "affected"
      }
    ]
  }
]