CVE-2019-9942

low-risk
Published 2019-03-23

A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.

Do I need to act?

-
0.42% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

Affected Products (2)

Twig

Affected Vendors

Debian Symfony

References (8)

Patch https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077
Mailing List https://seclists.org/bugtraq/2019/Mar/60
Patch https://symfony.com/blog/twig-sandbox-information-disclosure
Third Party Advisory https://www.debian.org/security/2019/dsa-4419
Patch https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077
Mailing List https://seclists.org/bugtraq/2019/Mar/60
Patch https://symfony.com/blog/twig-sandbox-information-disclosure
Third Party Advisory https://www.debian.org/security/2019/dsa-4419
22
/ 100
low-risk
Severity 13/34 · Low
Exploitability 2/34 · Minimal
Exposure 7/34 · Low