CVE-2022-39261

Twig may load a template outside a configured directory when using the filesystem loader

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Twig es un lenguaje de plantillas para PHP. Las versiones 1.x anteriores a 1.44.7, 2.x anteriores a 2.15.3 y 3.x anteriores a 3.4.3 encuentran un problema cuando el cargador del sistema de archivos carga plantillas cuyo nombre es una entrada del usuario. Es posible usar la sentencia "source" o "include" para leer archivos arbitrarios desde fuera del directorio de las plantillas cuando es usado un espacio de nombres como "@somewhere/../some.file". En este caso, la comprobación es omitida. Las versiones 1.44.7, 2.15.3 y 3.4.3 contienen una corrección para la comprobación de estos nombres de plantillas. No son conocidas mitigaciones aparte de la actualización

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-09-28 CVE Published
2024-04-20 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (11)

URL	Tag	Source
https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b	2023-11-07
https://www.drupal.org/sa-core-2022-016	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F	2023-11-07
https://www.debian.org/security/2022/dsa-5248	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Symfony Search vendor "Symfony"		Twig Search vendor "Symfony" for product "Twig"				>= 1.0.0 < 1.44.7 Search vendor "Symfony" for product "Twig" and version " >= 1.0.0 < 1.44.7"		-		Affected
Symfony Search vendor "Symfony"		Twig Search vendor "Symfony" for product "Twig"				>= 2.0.0 < 2.15.3 Search vendor "Symfony" for product "Twig" and version " >= 2.0.0 < 2.15.3"		-		Affected
Symfony Search vendor "Symfony"		Twig Search vendor "Symfony" for product "Twig"				>= 3.0.0 < 3.4.3 Search vendor "Symfony" for product "Twig" and version " >= 3.0.0 < 3.4.3"		-		Affected
Drupal Search vendor "Drupal"		Drupal Search vendor "Drupal" for product "Drupal"				>= 8.0.0 < 9.3.22 Search vendor "Drupal" for product "Drupal" and version " >= 8.0.0 < 9.3.22"		-		Affected
Drupal Search vendor "Drupal"		Drupal Search vendor "Drupal" for product "Drupal"				>= 9.4.0 < 9.4.7 Search vendor "Drupal" for product "Drupal" and version " >= 9.4.0 < 9.4.7"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected