Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-73b9fb7a77 advisory.

    **Version 2.15.3** (2022-09-28)

    * Fix a security issue on filesystem loader (possibility to load a template outside a configured     directory)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-c6fe3ebd94 advisory.

    **Version 1.44.7** (2022-09-28)

    * Fix a security issue on filesystem loader (possibility to load a template outside a configured     directory)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5947-1 advisory.

    Fabien Potencier discovered that Twig was not properly enforcing sandbox policies when dealing with     objects automatically cast to strings by PHP. An attacker could possibly use this issue to expose     sensitive information. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2019-9942)

    Marlon Starkloff discovered that Twig was not properly enforcing closure constraints in some of its array     filtering functions. An attacker could possibly use this issue to execute arbitrary code. This issue was     only fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)

    Dariusz Tytko discovered that Twig was not properly verifying input data utilized when defining pathnames     used to access files in a system. An attacker could possibly use this issue to access unauthorized     resources and expose sensitive information. (CVE-2022-39261)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-1695454935 advisory.

    **Version 1.44.7** (2022-09-28)

    * Fix a security issue on filesystem loader (possibility to load a template outside a configured     directory)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 35 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-4490a4772d advisory.

    **Version 1.44.7** (2022-09-28)

    * Fix a security issue on filesystem loader (possibility to load a template outside a configured     directory)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 35 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-d39b2a755b advisory.

    **Version 2.15.3** (2022-09-28)

    * Fix a security issue on filesystem loader (possibility to load a template outside a configured     directory)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-9d8ee4a6de advisory.

    **Version 2.15.3** (2022-09-28)

    * Fix a security issue on filesystem loader (possibility to load a template outside a configured     directory)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3147 advisory.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5248 advisory.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.3.x prior to 9.3.22 or 9.4.x prior to 9.4.7. Drupal uses the Twig third-party library for content templating and sanitization. Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.3.x prior to 9.3.22 or 9.4.x prior to 9.4.7. It is, therefore, affected by a vulnerability.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211440	Fedora 37 : php-twig2 (2022-73b9fb7a77)	Nessus	Fedora Local Security Checks	high
211408	Fedora 37 : php-twig (2022-c6fe3ebd94)	Nessus	Fedora Local Security Checks	high
172497	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : Twig vulnerabilities (USN-5947-1)	Nessus	Ubuntu Local Security Checks	critical
169259	Fedora 36 : php-twig (2022-1695454935)	Nessus	Fedora Local Security Checks	high
169247	Fedora 35 : php-twig (2022-4490a4772d)	Nessus	Fedora Local Security Checks	high
169157	Fedora 35 : php-twig2 (2022-d39b2a755b)	Nessus	Fedora Local Security Checks	high
169150	Fedora 36 : php-twig2 (2022-9d8ee4a6de)	Nessus	Fedora Local Security Checks	high
166040	Debian DLA-3147-1 : twig - LTS security update	Nessus	Debian Local Security Checks	high
165714	Debian DSA-5248-1 : php-twig - security update	Nessus	Debian Local Security Checks	high
113380	Drupal 9.3.x < 9.3.22 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	high
113379	Drupal 9.4.x < 9.4.7 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	high
165520	Drupal 9.3.x < 9.3.22 / 9.4.x < 9.4.7 Drupal Vulnerability (SA-CORE-2022-016)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2022-39261

high

Tenable Plugins

high

high

critical

high

high

high

high

high

high

high

high

high