CVE-2019-9942

Ubuntu Security Notice USN-5947-1

Severity Score

3.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.

Existe una divulgación de información del sandbox en Twig, en versiones anteriores a la 1.38.0 y versiones 2.x anteriores a la 2.7.0 ya que, en ciertas circunstancias, es posible llamar al método __toString() en un objeto incluso aunque la política de seguridad existente no lo permita.

Fabien Potencier discovered that Twig was not properly enforcing sandbox policies when dealing with objects automatically cast to strings by PHP. An attacker could possibly use this issue to expose sensitive information. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. Marlon Starkloff discovered that Twig was not properly enforcing closure constraints in some of its array filtering functions. An attacker could possibly use this issue to execute arbitrary code. This issue was only fixed in Ubuntu 20.04 ESM.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-23 CVE Reserved
2019-03-23 CVE Published
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://seclists.org/bugtraq/2019/Mar/60	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077	2022-04-05
https://symfony.com/blog/twig-sandbox-information-disclosure	2022-04-05

URL	Date	SRC
https://www.debian.org/security/2019/dsa-4419	2022-04-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Symfony Search vendor "Symfony"		Twig Search vendor "Symfony" for product "Twig"				< 1.38.0 Search vendor "Symfony" for product "Twig" and version " < 1.38.0"		-		Affected
Symfony Search vendor "Symfony"		Twig Search vendor "Symfony" for product "Twig"				>= 2.0.0 < 2.7.0 Search vendor "Symfony" for product "Twig" and version " >= 2.0.0 < 2.7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected