QwikSec

Security Database

CVE

CWE

Training

CVE-2022-39261

Published: Sep 28, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Vendor	Product	Versions
twigphp	Twig	affected `=> 1.0.0, < 1.44.7` affected `>= 2.0.0, < 2.15.3` affected `>= 3.0.0, < 3.4.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33

https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b

https://www.drupal.org/sa-core-2022-016

vendor-advisory

FEDORA-2022-4490a4772d

vendor-advisory

FEDORA-2022-d39b2a755b

vendor-advisory

FEDORA-2022-1695454935

vendor-advisory

FEDORA-2022-9d8ee4a6de

vendor-advisory

[debian-lts-announce] 20221011 [SECURITY] [DLA 3147-1] twig security update

mailing-list

FEDORA-2022-c6fe3ebd94

vendor-advisory

FEDORA-2022-73b9fb7a77

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.