Home > Vulnerability Database > CVE-2022-39261

Mend.io Vulnerability Database

CVE-2022-39261

Good to know:

Date: September 28, 2022

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Language: PHP

Severity Score

7.5

Related Resources (15)

Url: https://security-tracker.debian.org/tracker/CVE-2022-39261

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2022-39261

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/

Url: https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33

Url: https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39261

Url: https://www.debian.org/security/2022/dsa-5248

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/

Url: https://www.drupal.org/sa-core-2022-016

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/

Url: https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b

Url: https://www.mend.io/vulnerability-database/CVE-2022-39261

Severity Score

7.5

Weakness Type (CWE)

Path Traversal

CWE-22

Top Fix

Upgrade Version

Upgrade to version v1.44.7,v2.15.3,v3.4.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39261

Good to know:

Date: September 28, 2022

Language: PHP

Severity Score

Related Resources (15)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?