CVE-2022-39261 — HIGH (7.5)

Q: How severe is CVE-2022-39261?

CVE-2022-39261 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-39261?

Check the references section above for vendor advisories and patch information. Affected products include: Symfony Twig, Drupal Drupal, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Symfony	Twig	>= 1.0.0, < 1.44.7
Drupal	Drupal	>= 8.0.0, < 9.3.22
Fedoraproject	Fedora	35
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-22

References

https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0bPatchThird Party Advisory
https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00016.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.debian.org/security/2022/dsa-5248Third Party Advisory
https://www.drupal.org/sa-core-2022-016PatchThird Party Advisory
https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0bPatchThird Party Advisory
https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00016.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2022-39261?

CVE-2022-39261 is a vulnerability with a CVSS score of 7.5 (HIGH). Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a use...

How severe is CVE-2022-39261?

CVE-2022-39261 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39261?

Check the references section above for vendor advisories and patch information. Affected products include: Symfony Twig, Drupal Drupal, Fedoraproject Fedora, Debian Debian Linux.