GHSA-52m2-vc4m-jj33

Suggest an improvement
Source
https://github.com/advisories/GHSA-52m2-vc4m-jj33
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-52m2-vc4m-jj33/GHSA-52m2-vc4m-jj33.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-52m2-vc4m-jj33
Aliases
Published
2022-09-30T05:29:36Z
Modified
2024-02-21T05:25:51.888755Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Twig may load a template outside a configured directory when using the filesystem loader
Details

Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

Database specific
{
    "nvd_published_at": "2022-09-28T14:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-30T05:29:36Z"
}
References

Affected packages

Packagist / twig/twig

Package

Name
twig/twig
Purl
pkg:composer/twig/twig

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.44.7

Affected versions

1.*

1.3.0
1.4.0
1.5.0
1.5.1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5

v1.*

v1.7.0
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.9.0
v1.9.1
v1.9.2
v1.10.0
v1.10.1
v1.10.2
v1.10.3
v1.11.0
v1.11.1
v1.12.0-RC1
v1.12.0
v1.12.1
v1.12.2
v1.12.3
v1.13.0
v1.13.1
v1.13.2
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.16.0
v1.16.1
v1.16.2
v1.16.3
v1.17.0
v1.18.0
v1.18.1
v1.18.2
v1.19.0
v1.20.0
v1.21.0
v1.21.1
v1.21.2
v1.22.0
v1.22.1
v1.22.2
v1.22.3
v1.23.0
v1.23.1
v1.23.2
v1.23.3
v1.24.0
v1.24.1
v1.24.2
v1.25.0
v1.26.0
v1.26.1
v1.27.0
v1.28.0
v1.28.1
v1.28.2
v1.29.0
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.33.1
v1.33.2
v1.34.0
v1.34.1
v1.34.2
v1.34.3
v1.34.4
v1.35.0
v1.35.1
v1.35.2
v1.35.3
v1.35.4
v1.36.0
v1.37.0
v1.37.1
v1.38.0
v1.38.1
v1.38.2
v1.38.3
v1.38.4
v1.39.0
v1.39.1
v1.40.0
v1.40.1
v1.41.0
v1.42.0
v1.42.1
v1.42.2
v1.42.3
v1.42.4
v1.42.5
v1.43.0
v1.43.1
v1.44.0
v1.44.1
v1.44.2
v1.44.3
v1.44.4
v1.44.5
v1.44.6

Packagist / twig/twig

Package

Name
twig/twig
Purl
pkg:composer/twig/twig

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.15.3

Affected versions

v2.*

v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.1
v2.9.0
v2.10.0
v2.11.0
v2.11.1
v2.11.2
v2.11.3
v2.12.0
v2.12.1
v2.12.2
v2.12.3
v2.12.4
v2.12.5
v2.13.0
v2.13.1
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.14.6
v2.14.7
v2.14.8
v2.14.9
v2.14.10
v2.14.11
v2.14.12
v2.14.13
v2.15.0
v2.15.1
v2.15.2

Packagist / twig/twig

Package

Name
twig/twig
Purl
pkg:composer/twig/twig

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.4.3

Affected versions

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.1.0
v3.1.1
v3.2.1
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.3.10
v3.4.0
v3.4.1
v3.4.2