Twig 1.x/2.x/3.x Template Injection via Namespace Traversal (Fixed 1.44.7/2.15.3/3.4.3)
CVE-2022-39261 Published on September 28, 2022
Twig may load a template outside a configured directory when using the filesystem loader
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Vulnerability Analysis
CVE-2022-39261 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2022-39261 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2022-39261
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-39261 are published in these products:
Affected Versions
twigphp Twig:- Version => 1.0.0, < 1.44.7 is affected.
- Version >= 2.0.0, < 2.15.3 is affected.
- Version >= 3.0.0, < 3.4.3 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2022-39261
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | twig/twig | >= 3.0.0, < 3.4.3 | 3.4.3 |
| composer | twig/twig | >= 2.0.0, < 2.15.3 | 2.15.3 |
| composer | twig/twig | >= 1.0.0, < 1.44.7 | 1.44.7 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.