CVE-2022-39261

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outside the templates' directory when using a namespace like @somewhere/../some.file. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39261.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

35c2f3ca5c935f3d8bde15932a712677c9bbd50f

Fixed

e637df2c3679a3eb768675681220e74a5ee51a18

Introduced

970c1b5cfa946f683de326a3f252b5371a42186a

Fixed

89d5167a40092f646c810b52ad7bde1f091ee73f

Affected versions

8.*

8.0.0

8.1.0-beta1

9.*

9.0.0-alpha1

9.0.0-alpha2

9.3.0

9.3.0-alpha1

9.3.0-beta1

9.3.0-beta2

9.3.0-beta3

9.3.0-rc1

9.3.10

9.3.11

9.3.12

9.3.13

9.3.14

9.3.15

9.3.16

9.3.17

9.3.18

9.3.19

9.3.2

9.3.20

9.3.21

9.3.3

9.3.4

9.3.5

9.3.6

9.3.7

9.3.8

9.3.9

9.4.0

9.4.0-alpha1

9.4.0-beta1

9.4.0-rc1

9.4.0-rc2

9.4.1

9.4.2

9.4.3

9.4.4

9.4.5

9.4.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39261.json"

Git / github.com/twigphp/twig

Affected ranges

Type: GIT
Repo: https://github.com/twigphp/twig
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

35f3035c5deb0041da7b84daf02dea074ddc7a0b

Introduced

2a86dde1288d7270169083d0e078dc7ebe0f48b6

Fixed

ab402673db8746cb3a4c46f3869d6253699f614a

Introduced

2f106a80cc13b4260074e573fa017a770fe20350

Fixed

0887422319889e442458e48e2f3d9add1a172ad5

Introduced

9b58bb8ac7a41d72fbb5a7dc643e07923e5ccc26

Fixed

c38fd6b0b7f370c198db91ffd02e23b517426b58

Affected versions

v1.*

v1.0.0

v1.1.0

v1.1.0-RC1

v1.1.0-RC2

v1.1.0-RC3

v1.1.1

v1.1.2

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.11.0

v1.11.1

v1.12.0

v1.12.0-RC1

v1.12.1

v1.12.2

v1.12.3

v1.13.0

v1.13.1

v1.13.2

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.15.1

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.17.0

v1.18.0

v1.18.1

v1.18.2

v1.19.0

v1.2.0

v1.2.0-RC1

v1.20.0

v1.21.0

v1.21.1

v1.21.2

v1.22.0

v1.22.1

v1.22.2

v1.22.3

v1.23.0

v1.23.1

v1.23.2

v1.23.3

v1.24.0

v1.24.1

v1.24.2

v1.25.0

v1.26.0

v1.26.1

v1.27.0

v1.28.0

v1.28.1

v1.28.2

v1.29.0

v1.3.0

v1.3.0-RC1

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.33.1

v1.33.2

v1.34.0

v1.34.1

v1.34.2

v1.34.3

v1.34.4

v1.35.0

v1.35.1

v1.35.2

v1.35.3

v1.35.4

v1.36.0

v1.37.0

v1.37.1

v1.38.0

v1.38.1

v1.38.2

v1.38.3

v1.38.4

v1.39.0

v1.39.1

v1.4.0

v1.4.0-RC1

v1.4.0-RC2

v1.40.0

v1.40.1

v1.41.0

v1.42.0

v1.42.1

v1.42.2

v1.42.3

v1.42.4

v1.42.5

v1.43.0

v1.43.1

v1.44.0

v1.44.1

v1.44.2

v1.44.3

v1.44.4

v1.44.5

v1.44.6

v1.5.0

v1.5.0-RC1

v1.5.0-RC2

v1.5.1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.7.0

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.9.0

v1.9.1

v1.9.2

v2.*

v2.0.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39261.json"