CVE-2022-39261 Twig may load a template outside a configured directory when using the filesystem loader

2022-09-2800:00:00

CWE-22

GitHub_M

www.cve.org

twig

filesystem loader

template

php

security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.2%

JSON

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outside the templates’ directory when using a namespace like @somewhere/../some.file. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

CNA Affected

[
  {
    "vendor": "twigphp",
    "product": "Twig",
    "versions": [
      {
        "version": "=> 1.0.0, < 1.44.7",
        "status": "affected"
      },
      {
        "version": ">= 2.0.0, < 2.15.3",
        "status": "affected"
      },
      {
        "version": ">= 3.0.0, < 3.4.3",
        "status": "affected"
      }
    ]
  }
]