CVE-2022-39261

HIGH

Symfony Twig < 1.44.7 - Path Traversal

Title source: rule
STIX 2.1

Description

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

References (11)

Core 11
Core References
Patch, Third Party Advisory
https://www.drupal.org/sa-core-2022-016
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5248
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html

Scores

CVSS v3 7.5
EPSS 0.0950
EPSS Percentile 92.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (8)
debian/debian_linux 10.0
debian/debian_linux 11.0
drupal/drupal 8.0.0 - 9.3.22
fedoraproject/fedora 35
fedoraproject/fedora 36
fedoraproject/fedora 37
symfony/twig 1.0.0 - 1.44.7
twig/twig 1.0.0 - 1.44.7Packagist
Published Sep 28, 2022
Tracked Since Feb 18, 2026