CVE-2022-39261

high-risk

Published 2022-09-28

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Do I need to act?

9.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (7)

Twig

Drupal

Fedora

Debian Linux

Affected Vendors

Debian Symfony Drupal Fedoraproject

References (22)

Patch https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b

Third Party Advisory https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33

Mailing List https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://www.debian.org/security/2022/dsa-5248

Patch https://www.drupal.org/sa-core-2022-016

Patch https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b

Third Party Advisory https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33

Mailing List https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

and 2 more references

/ 100

high-risk

Severity 26/34 · High

Exploitability 11/34 · Low

Exposure 14/34 · Moderate