Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-5947-1.NASL
HistoryMar 13, 2023 - 12:00 a.m.

Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : Twig vulnerabilities (USN-5947-1)

2023-03-1300:00:00
Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
75
ubuntu 16.04 esm
ubuntu 18.04 esm
ubuntu 20.04 esm
ubuntu 22.04 esm
twig vulnerabilities
information disclosure
code injection
arbitrary file reading
php
sandbox mode
closure
cve-2019-9942
cve-2022-23614
cve-2022-39261
nessus scanner

0.026 Low

EPSS

Percentile

90.3%

JSON

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5947-1 advisory.

  • A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place. (CVE-2019-9942)

  • Twig is an open source template language for PHP. When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code.
    Patched versions now disallow calling non Closure in the sort filter as is the case for some other filters. Users are advised to upgrade. (CVE-2022-23614)

  • Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outside the templates’ directory when using a namespace like @somewhere/../some.file. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5947-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(172497);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/20");

  script_cve_id("CVE-2019-9942", "CVE-2022-23614", "CVE-2022-39261");
  script_xref(name:"USN", value:"5947-1");

  script_name(english:"Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : Twig vulnerabilities (USN-5947-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has packages installed that are affected by
multiple vulnerabilities as referenced in the USN-5947-1 advisory.

  - A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some
    circumstances, it is possible to call the __toString() method on an object even if not allowed by the
    security policy in place. (CVE-2019-9942)

  - Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the
    `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected
    versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code.
    Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other
    filters. Users are advised to upgrade. (CVE-2022-23614)

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to
    3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It
    is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'
    directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known
    workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5947-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-23614");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/03/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-twig");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-twig-cache-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-twig-cssinliner-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-twig-extra-bundle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-twig-html-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-twig-inky-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-twig-intl-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-twig-markdown-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-twig-string-extra");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release || '22.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 22.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '16.04', 'pkgname': 'php-twig', 'pkgver': '1.23.1-1ubuntu4+esm1'},
    {'osver': '18.04', 'pkgname': 'php-twig', 'pkgver': '2.4.6-1ubuntu0.1~esm1'},
    {'osver': '20.04', 'pkgname': 'php-twig', 'pkgver': '2.12.5-1ubuntu0.1~esm1'},
    {'osver': '20.04', 'pkgname': 'php-twig-cssinliner-extra', 'pkgver': '2.12.5-1ubuntu0.1~esm1'},
    {'osver': '20.04', 'pkgname': 'php-twig-extra-bundle', 'pkgver': '2.12.5-1ubuntu0.1~esm1'},
    {'osver': '20.04', 'pkgname': 'php-twig-html-extra', 'pkgver': '2.12.5-1ubuntu0.1~esm1'},
    {'osver': '20.04', 'pkgname': 'php-twig-inky-extra', 'pkgver': '2.12.5-1ubuntu0.1~esm1'},
    {'osver': '20.04', 'pkgname': 'php-twig-intl-extra', 'pkgver': '2.12.5-1ubuntu0.1~esm1'},
    {'osver': '20.04', 'pkgname': 'php-twig-markdown-extra', 'pkgver': '2.12.5-1ubuntu0.1~esm1'},
    {'osver': '22.04', 'pkgname': 'php-twig', 'pkgver': '3.3.8-2ubuntu4+esm1'},
    {'osver': '22.04', 'pkgname': 'php-twig-cache-extra', 'pkgver': '3.3.8-2ubuntu4+esm1'},
    {'osver': '22.04', 'pkgname': 'php-twig-cssinliner-extra', 'pkgver': '3.3.8-2ubuntu4+esm1'},
    {'osver': '22.04', 'pkgname': 'php-twig-extra-bundle', 'pkgver': '3.3.8-2ubuntu4+esm1'},
    {'osver': '22.04', 'pkgname': 'php-twig-html-extra', 'pkgver': '3.3.8-2ubuntu4+esm1'},
    {'osver': '22.04', 'pkgname': 'php-twig-inky-extra', 'pkgver': '3.3.8-2ubuntu4+esm1'},
    {'osver': '22.04', 'pkgname': 'php-twig-intl-extra', 'pkgver': '3.3.8-2ubuntu4+esm1'},
    {'osver': '22.04', 'pkgname': 'php-twig-markdown-extra', 'pkgver': '3.3.8-2ubuntu4+esm1'},
    {'osver': '22.04', 'pkgname': 'php-twig-string-extra', 'pkgver': '3.3.8-2ubuntu4+esm1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'php-twig / php-twig-cache-extra / php-twig-cssinliner-extra / etc');
}
VendorProductVersionCPE
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:esm
canonicalubuntu_linux18.04cpe:/o:canonical:ubuntu_linux:18.04:-:esm
canonicalubuntu_linux20.04cpe:/o:canonical:ubuntu_linux:20.04:-:esm
canonicalubuntu_linux22.04cpe:/o:canonical:ubuntu_linux:22.04:-:esm
canonicalubuntu_linuxphp-twigp-cpe:/a:canonical:ubuntu_linux:php-twig
canonicalubuntu_linuxphp-twig-cache-extrap-cpe:/a:canonical:ubuntu_linux:php-twig-cache-extra
canonicalubuntu_linuxphp-twig-cssinliner-extrap-cpe:/a:canonical:ubuntu_linux:php-twig-cssinliner-extra
canonicalubuntu_linuxphp-twig-extra-bundlep-cpe:/a:canonical:ubuntu_linux:php-twig-extra-bundle
canonicalubuntu_linuxphp-twig-html-extrap-cpe:/a:canonical:ubuntu_linux:php-twig-html-extra
canonicalubuntu_linuxphp-twig-inky-extrap-cpe:/a:canonical:ubuntu_linux:php-twig-inky-extra
Rows per page:
1-10 of 131

Related

osv 12
ubuntu 1
openvas 17
friendsofphp 3
fedora 10
github 3
cnvd 2
debiancve 3
ubuntucve 3
debian 5
cve 3
cvelist 3
nessus 9
veracode 3
prion 3
nvd 3
githubexploit 2
redhatcve 1
drupal 1
osv
osv
php-twig, twig vulnerabilities
2023-03-13 10:55:33
Code injection in Twig
2022-02-10 22:21:48
CVE-2022-23614
2022-02-04 23:15:15
ubuntu
ubuntu
Twig vulnerabilities
2023-03-13 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-5947-1)
2023-03-13 00:00:00
Fedora: Security Advisory for php-twig3 (FEDORA-2022-167b9becef)
2022-02-13 00:00:00
Fedora: Security Advisory for php-twig2 (FEDORA-2022-47293b1d23)
2022-02-13 00:00:00
friendsofphp
friendsofphp
Disallow non closures in the sort filter
2022-02-04 06:52:21
Sandbox Information Disclosure
2019-03-12 12:35:01
Possibility to load a template outside a configured directory when using the filesystem loader
2022-09-28 10:36:08
fedora
fedora
[SECURITY] Fedora 34 Update: php-twig2-2.14.11-1.fc34
2022-02-13 01:07:35
[SECURITY] Fedora 35 Update: php-twig2-2.14.11-1.fc35
2022-02-13 01:16:39
[SECURITY] Fedora 34 Update: php-twig3-3.3.8-1.fc34
2022-02-13 01:07:39
github
github
Code injection in Twig
2022-02-10 22:21:48
Twig Sandbox Information Disclosure
2022-03-26 00:25:25
Twig may load a template outside a configured directory when using the filesystem loader
2022-09-30 05:29:36
cnvd
cnvd
Sensio Labs Twig Injection Vulnerability
2022-02-09 00:00:00
Sensio Labs Twig Path Traversal Vulnerability
2022-09-30 00:00:00
debiancve
debiancve
CVE-2022-23614
2022-02-04 23:15:15
CVE-2019-9942
2019-03-23 15:29:00
CVE-2022-39261
2022-09-28 14:15:10
ubuntucve
ubuntucve
CVE-2019-9942
2019-03-23 00:00:00
CVE-2022-23614
2022-02-04 00:00:00
CVE-2022-39261
2022-09-28 00:00:00
debian
debian
[SECURITY] [DSA 4419-1] twig security update
2019-03-29 15:50:07
[SECURITY] [DSA 4419-1] twig security update
2019-03-29 15:50:07
[SECURITY] [DSA 5107-1] php-twig security update
2022-03-24 06:38:06
cve
cve
CVE-2022-23614
2022-02-04 23:15:15
CVE-2019-9942
2019-03-23 15:29:00
CVE-2022-39261
2022-09-28 14:15:10
cvelist
cvelist
CVE-2019-9942
2019-03-23 14:31:53
CVE-2022-23614 Code injection in Twig
2022-02-04 22:25:11
CVE-2022-39261 Twig may load a template outside a configured directory when using the filesystem loader
2022-09-28 00:00:00
nessus
nessus
Debian DSA-4419-1 : twig - security update
2019-04-01 00:00:00
Debian DSA-5107-1 : php-twig - security update
2022-03-24 00:00:00
Fedora 36 : php-twig2 (2022-9d8ee4a6de)
2022-12-22 00:00:00
veracode
veracode
Information Disclosure
2019-07-12 06:36:57
Remote Code Execution (RCE)
2022-02-12 08:15:05
Path Traversal
2022-09-29 07:50:17
prion
prion
Information disclosure
2019-03-23 15:29:00
Code injection
2022-02-04 23:15:00
Input validation
2022-09-28 14:15:00
nvd
nvd
CVE-2019-9942
2019-03-23 15:29:00
CVE-2022-23614
2022-02-04 23:15:15
CVE-2022-39261
2022-09-28 14:15:10
githubexploit
githubexploit
Exploit for Code Injection in Symfony Twig
2023-07-04 15:52:50
Exploit for Code Injection in Symfony Twig
2022-07-18 10:14:50
redhatcve
redhatcve
CVE-2022-23614
2022-03-02 20:50:17
drupal
drupal
Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016
2022-09-28 00:00:00

0.026 Low

EPSS

Percentile

90.3%

JSON
Related for UBUNTU_USN-5947-1.NASL
osv12ubuntu1openvas17friendsofphp3fedora10github3cnvd2debiancve3ubuntucve3debian5cve3cvelist3nessus9veracode3prion3nvd3githubexploit2redhatcve1drupal1