UBUNTU-CVE-2022-23614
- Source
- https://ubuntu.com/security/CVE-2022-23614
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-23614.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-23614
- Related
- Published
- 2022-02-04T23:15:00Z
- Modified
- 2024-10-15T14:09:47Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Twig is an open source template language for PHP. When in a sandbox mode, the
arrowparameter of thesortfilter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in thesortfilter as is the case for some other filters. Users are advised to upgrade. - References
-
- https://ubuntu.com/security/CVE-2022-23614
- https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5
- https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9
- https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
- https://ubuntu.com/security/notices/USN-5947-1
- https://www.cve.org/CVERecord?id=CVE-2022-23614
Affected packages
Ubuntu:20.04:LTS / php-twig
Package
- Name
- php-twig
- Purl
- pkg:deb/ubuntu/php-twig?arch=src?distro=focal
Ubuntu:Pro:20.04:LTS / php-twig
Package
- Name
- php-twig
- Purl
- pkg:deb/ubuntu/php-twig?arch=src?distro=esm-apps/focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.12.5-1ubuntu0.1~esm1
Ecosystem specific
{
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"ubuntu_priority": "medium",
"binaries": [
{
"binary_version": "2.12.5-1ubuntu0.1~esm1",
"binary_name": "php-twig"
},
{
"binary_version": "2.12.5-1ubuntu0.1~esm1",
"binary_name": "php-twig-cssinliner-extra"
},
{
"binary_version": "2.12.5-1ubuntu0.1~esm1",
"binary_name": "php-twig-doc"
},
{
"binary_version": "2.12.5-1ubuntu0.1~esm1",
"binary_name": "php-twig-extra-bundle"
},
{
"binary_version": "2.12.5-1ubuntu0.1~esm1",
"binary_name": "php-twig-html-extra"
},
{
"binary_version": "2.12.5-1ubuntu0.1~esm1",
"binary_name": "php-twig-inky-extra"
},
{
"binary_version": "2.12.5-1ubuntu0.1~esm1",
"binary_name": "php-twig-intl-extra"
},
{
"binary_version": "2.12.5-1ubuntu0.1~esm1",
"binary_name": "php-twig-markdown-extra"
}
]
}
Ubuntu:22.04:LTS / php-twig
Package
- Name
- php-twig
- Purl
- pkg:deb/ubuntu/php-twig?arch=src?distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.3.8-2ubuntu4
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig"
},
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig-cache-extra"
},
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig-cssinliner-extra"
},
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig-doc"
},
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig-extra-bundle"
},
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig-html-extra"
},
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig-inky-extra"
},
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig-intl-extra"
},
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig-markdown-extra"
},
{
"binary_version": "3.3.8-2ubuntu4",
"binary_name": "php-twig-string-extra"
}
]
}