Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntuUbuntuUSN-5947-1
HistoryMar 13, 2023 - 12:00 a.m.

Twig vulnerabilities

2023-03-1300:00:00
ubuntu.com
39
twig
ubuntu
lts
esm
php
sandbox policies
closure constraints
code execution
data exposure
cve-2019-9942
cve-2022-23614
cve-2022-39261

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.026 Low

EPSS

Percentile

90.3%

JSON

Releases

  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 ESM
  • Ubuntu 16.04 ESM

Packages

  • php-twig - Flexible, fast, and secure template engine for PHP
  • twig - Flexible, fast, and secure template engine for PHP

Details

Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2019-9942)

Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)

Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2022-39261)

Related

nessus 10
openvas 17
osv 12
friendsofphp 3
redhatcve 1
veracode 3
prion 3
nvd 3
debian 5
ubuntucve 3
fedora 10
cve 3
debiancve 3
github 3
cnvd 2
cvelist 3
githubexploit 2
drupal 1
nessus
nessus
Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : Twig vulnerabilities (USN-5947-1)
2023-03-13 00:00:00
Debian DSA-5107-1 : php-twig - security update
2022-03-24 00:00:00
Debian DSA-4419-1 : twig - security update
2019-04-01 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-5947-1)
2023-03-13 00:00:00
Fedora: Security Advisory for php-twig3 (FEDORA-2022-167b9becef)
2022-02-13 00:00:00
Fedora: Security Advisory for php-twig2 (FEDORA-2022-47293b1d23)
2022-02-13 00:00:00
osv
osv
php-twig, twig vulnerabilities
2023-03-13 10:55:33
Code injection in Twig
2022-02-10 22:21:48
CVE-2022-23614
2022-02-04 23:15:15
friendsofphp
friendsofphp
Disallow non closures in the sort filter
2022-02-04 06:52:21
Sandbox Information Disclosure
2019-03-12 12:35:01
Possibility to load a template outside a configured directory when using the filesystem loader
2022-09-28 10:36:08
redhatcve
redhatcve
CVE-2022-23614
2022-03-02 20:50:17
veracode
veracode
Remote Code Execution (RCE)
2022-02-12 08:15:05
Information Disclosure
2019-07-12 06:36:57
Path Traversal
2022-09-29 07:50:17
prion
prion
Code injection
2022-02-04 23:15:00
Information disclosure
2019-03-23 15:29:00
Input validation
2022-09-28 14:15:00
nvd
nvd
CVE-2022-23614
2022-02-04 23:15:15
CVE-2019-9942
2019-03-23 15:29:00
CVE-2022-39261
2022-09-28 14:15:10
debian
debian
[SECURITY] [DSA 5107-1] php-twig security update
2022-03-24 06:38:06
[SECURITY] [DSA 4419-1] twig security update
2019-03-29 15:50:07
[SECURITY] [DSA 4419-1] twig security update
2019-03-29 15:50:07
ubuntucve
ubuntucve
CVE-2022-23614
2022-02-04 00:00:00
CVE-2019-9942
2019-03-23 00:00:00
CVE-2022-39261
2022-09-28 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: php-twig3-3.3.8-1.fc35
2022-02-13 01:16:42
[SECURITY] Fedora 34 Update: php-twig2-2.14.11-1.fc34
2022-02-13 01:07:35
[SECURITY] Fedora 35 Update: php-twig2-2.14.11-1.fc35
2022-02-13 01:16:39
cve
cve
CVE-2022-23614
2022-02-04 23:15:15
CVE-2019-9942
2019-03-23 15:29:00
CVE-2022-39261
2022-09-28 14:15:10
debiancve
debiancve
CVE-2019-9942
2019-03-23 15:29:00
CVE-2022-23614
2022-02-04 23:15:15
CVE-2022-39261
2022-09-28 14:15:10
github
github
Code injection in Twig
2022-02-10 22:21:48
Twig Sandbox Information Disclosure
2022-03-26 00:25:25
Twig may load a template outside a configured directory when using the filesystem loader
2022-09-30 05:29:36
cnvd
cnvd
Sensio Labs Twig Injection Vulnerability
2022-02-09 00:00:00
Sensio Labs Twig Path Traversal Vulnerability
2022-09-30 00:00:00
cvelist
cvelist
CVE-2022-23614 Code injection in Twig
2022-02-04 22:25:11
CVE-2019-9942
2019-03-23 14:31:53
CVE-2022-39261 Twig may load a template outside a configured directory when using the filesystem loader
2022-09-28 00:00:00
githubexploit
githubexploit
Exploit for Code Injection in Symfony Twig
2023-07-04 15:52:50
Exploit for Code Injection in Symfony Twig
2022-07-18 10:14:50
drupal
drupal
Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016
2022-09-28 00:00:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.026 Low

EPSS

Percentile

90.3%

JSON
Related for USN-5947-1
nessus10openvas17osv12friendsofphp3redhatcve1veracode3prion3nvd3debian5ubuntucve3fedora10cve3debiancve3github3cnvd2cvelist3githubexploit2drupal1