CVE-2022-39261

HIGH
Published Sep 28, 20223y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Sep 28, 2022 3y ago
Last Modified Jun 17, 2026 1w ago

Description

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 10

VendorProductVersionRange
symfonytwig*≥1.0.0  –  <1.44.7
symfonytwig*≥2.0.0  –  <2.15.3
symfonytwig*≥3.0.0  –  <3.4.3
drupaldrupal*≥8.0.0  –  <9.3.22
drupaldrupal*≥9.4.0  –  <9.4.7
fedoraprojectfedora35any
fedoraprojectfedora36any
fedoraprojectfedora37any
debiandebian_linux10.0any
debiandebian_linux11.0any

References 11

  • github.com https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
    PatchThird Party Advisory
  • github.com https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
  • debian.org https://www.debian.org/security/2022/dsa-5248
    Third Party Advisory
  • drupal.org https://www.drupal.org/sa-core-2022-016
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
    PatchThird Party Advisory
  • drupal.org https://www.drupal.org/sa-core-2022-016
    PatchThird Party Advisory