GHSA-52m2-vc4m-jj33

Source

https://github.com/advisories/GHSA-52m2-vc4m-jj33

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-52m2-vc4m-jj33/GHSA-52m2-vc4m-jj33.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-52m2-vc4m-jj33

Aliases

Published

2022-09-30T05:29:36Z

Modified

2025-12-02T23:13:13.957742Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Twig may load a template outside a configured directory when using the filesystem loader

Details

Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

Database specific

{
    "nvd_published_at": "2022-09-28T14:15:00Z",
    "github_reviewed_at": "2022-09-30T05:29:36Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Packagist / twig/twig

Package

Name: twig/twig
Purl: pkg:composer/twig/twig

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.44.7

Affected versions

1.*

1.3.0

1.4.0

1.5.0

1.5.1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

v1.*

v1.7.0

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.9.0

v1.9.1

v1.9.2

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.11.0

v1.11.1

v1.12.0-RC1

v1.12.0

v1.12.1

v1.12.2

v1.12.3

v1.13.0

v1.13.1

v1.13.2

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.15.1

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.17.0

v1.18.0

v1.18.1

v1.18.2

v1.19.0

v1.20.0

v1.21.0

v1.21.1

v1.21.2

v1.22.0

v1.22.1

v1.22.2

v1.22.3

v1.23.0

v1.23.1

v1.23.2

v1.23.3

v1.24.0

v1.24.1

v1.24.2

v1.25.0

v1.26.0

v1.26.1

v1.27.0

v1.28.0

v1.28.1

v1.28.2

v1.29.0

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.33.1

v1.33.2

v1.34.0

v1.34.1

v1.34.2

v1.34.3

v1.34.4

v1.35.0

v1.35.1

v1.35.2

v1.35.3

v1.35.4

v1.36.0

v1.37.0

v1.37.1

v1.38.0

v1.38.1

v1.38.2

v1.38.3

v1.38.4

v1.39.0

v1.39.1

v1.40.0

v1.40.1

v1.41.0

v1.42.0

v1.42.1

v1.42.2

v1.42.3

v1.42.4

v1.42.5

v1.43.0

v1.43.1

v1.44.0

v1.44.1

v1.44.2

v1.44.3

v1.44.4

v1.44.5

v1.44.6

Packagist / twig/twig

Package

Name: twig/twig
Purl: pkg:composer/twig/twig

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.15.3

Affected versions

v2.*

v2.0.0

v2.1.0

v2.2.0

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.5.0

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.8.0

v2.8.1

v2.9.0

v2.10.0

v2.11.0

v2.11.1

v2.11.2

v2.11.3

v2.12.0

v2.12.1

v2.12.2

v2.12.3

v2.12.4

v2.12.5

v2.13.0

v2.13.1

v2.14.0

v2.14.1

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.14.6

v2.14.7

v2.14.8

v2.14.9

v2.14.10

v2.14.11

v2.14.12

v2.14.13

v2.15.0

v2.15.1

v2.15.2

Packagist / twig/twig

Package

Name: twig/twig
Purl: pkg:composer/twig/twig

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.4.3

Affected versions

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.1.0

v3.1.1

v3.2.1

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.3.10

v3.4.0

v3.4.1

v3.4.2