CVE-2022-39261

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the source or include statement to read arbitrary files from outside the templates' directory when using a namespace like @somewhere/../some.file. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39261.json"
}

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type

GIT

Repo

https://github.com/drupal/drupal

Events

Introduced

35c2f3ca5c935f3d8bde15932a712677c9bbd50f

Fixed

e637df2c3679a3eb768675681220e74a5ee51a18

Introduced

970c1b5cfa946f683de326a3f252b5371a42186a

Fixed

89d5167a40092f646c810b52ad7bde1f091ee73f

Introduced

Last affected

2700c5afb6c3936041db413872eea82dc0bd4fe4

Introduced

Last affected

140f94ff1051644c4416c7ed30cc5dd1f14507b2

Database specific

{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "9.3.22"
        },
        {
            "introduced": "9.4.0"
        },
        {
            "fixed": "9.4.7"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "10.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "11.0"
        }
    ]
}

Affected versions

10.*

10.0.0

10.0.0-alpha1

10.0.0-alpha3

10.0.0-alpha4

10.0.0-alpha5

10.0.0-alpha6

10.0.0-alpha7

10.0.0-beta1

10.0.0-beta2

10.0.0-rc1

10.0.0-rc2

10.0.0-rc3

10.1.0-alpha1

11.*

11.0.0

11.0.0-alpha1

11.0.0-beta1

8.*

8.0.0

8.1.0-beta1

9.*

9.0.0-alpha1

9.0.0-alpha2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39261.json"

Git / github.com/twigphp/twig

Affected ranges

Type

GIT

Repo

https://github.com/twigphp/twig

Events

Introduced

2a86dde1288d7270169083d0e078dc7ebe0f48b6

Fixed

ab402673db8746cb3a4c46f3869d6253699f614a

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.15.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/twigphp/twig

Events

Introduced

9b58bb8ac7a41d72fbb5a7dc643e07923e5ccc26

Fixed

c38fd6b0b7f370c198db91ffd02e23b517426b58

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.4.3"
        }
    ]
}

Affected versions

v1.*

v1.31.0

v1.32.0

v1.33.0

v1.33.1

v1.33.2

v1.34.0

v1.34.1

v1.34.2

v1.34.3

v1.34.4

v1.35.0

v1.35.1

v1.35.2

v1.35.3

v1.35.4

v1.36.0

v1.37.0

v1.37.1

v1.38.0

v1.38.1

v1.38.2

v1.38.3

v1.38.4

v1.39.0

v1.39.1

v1.40.0

v1.40.1

v1.41.0

v1.42.0

v1.42.1

v1.42.2

v1.42.3

v1.42.4

v1.42.5

v1.43.0

v1.43.1

v1.44.0

v1.44.1

v1.44.2

v1.44.3

v1.44.4

v1.44.5

v1.44.6

v2.*

v2.0.0

v2.1.0

v2.10.0

v2.11.0

v2.11.1

v2.11.2

v2.11.3

v2.12.0

v2.12.1

v2.12.2

v2.12.3

v2.12.4

v2.12.5

v2.13.0

v2.13.1

v2.14.0

v2.14.1

v2.14.10

v2.14.11

v2.14.12

v2.14.13

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.14.6

v2.14.7

v2.14.8

v2.14.9

v2.15.0

v2.15.1

v2.15.2

v2.15.3

v2.2.0

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.5.0

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.8.0

v2.8.1

v2.9.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.1.0

v3.1.1

v3.2.1

v3.3.0

v3.3.1

v3.3.10

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.4.0

v3.4.1

v3.4.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39261.json"