GHSA-36m2-8rhx-f36j

Source

https://github.com/advisories/GHSA-36m2-8rhx-f36j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-36m2-8rhx-f36j/GHSA-36m2-8rhx-f36j.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-36m2-8rhx-f36j

Aliases

CVE-2022-21648

Published

2022-01-06T23:17:07Z

Modified

2023-11-01T04:57:39.749589Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Sandbox bypass in Latte templates

Details

Impact

The problem affects users who use the sandbox in Latte and templates from untrusted sources.

Patches

Sandbox first appeared in Latte 2.8.0. The issue is fixed in the versions 2.8.8, 2.9.6 and 2.10.8.

References

The issues were discovered by - JinYiTong (https://github.com/JinYiTong) - 赵钰迪 20212010122@fudan.edu.cn

Database specific

{
    "nvd_published_at": "2022-01-04T20:15:00Z",
    "github_reviewed_at": "2022-01-06T19:42:15Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / latte/latte

Package

Name: latte/latte
Purl: pkg:composer/latte/latte

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.10.0

Fixed

2.10.8

Affected versions

v2.*

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.10.6

v2.10.7

Packagist / latte/latte

Package

Name: latte/latte
Purl: pkg:composer/latte/latte

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.9.0

Fixed

2.9.6

Affected versions

v2.*

v2.9.0

v2.9.1

v2.9.2

v2.9.3

v2.9.4

v2.9.5

Packagist / latte/latte

Package

Name: latte/latte
Purl: pkg:composer/latte/latte

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.8.0

Fixed

2.8.8

Affected versions

v2.*

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.8.6

v2.8.7