Lucene search

GoogleOSV:CVE-2024-45411

HistorySep 09, 2024 - 7:15 p.m.

CVE-2024-45411

2024-09-0919:15:13

Google

osv.dev

twig

php

template

language

security

bypass

vulnerability

fix

1.44.8

2.16.1

3.14.0

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

6.7

Confidence

Low

JSON

Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.

References

github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6

github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de

github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233

github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66

security-tracker.debian.org/tracker/CVE-2024-45411

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

6.7

Confidence

Low

JSON

Related for OSV:CVE-2024-45411