CVE-2024-45411

2024-09-0919:15:13

CWE-693

GitHub_M

web.nvd.nist.gov

twig

php

security bypass

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

8.4

Confidence

High

EPSS

0.001

Percentile

48.5%

JSON

Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

symfonytwigRange1.0.0–1.44.8

symfonytwigRange2.0.0–2.16.1

symfonytwigRange3.0.0–3.14.0

VendorProductVersionCPE
symfonytwig*cpe:2.3:a:symfony:twig:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
symfony	twig	*	cpe:2.3:a:symfony:twig::::::::

CNA Affected

[
  {
    "vendor": "twigphp",
    "product": "Twig",
    "versions": [
      {
        "version": "> 1.0.0, < 1.44.8",
        "status": "affected"
      },
      {
        "version": "> 2.0.0, < 2.16.1",
        "status": "affected"
      },
      {
        "version": "> 3.0.0, < 3.14.0",
        "status": "affected"
      }
    ]
  }
]