Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01bXYyLXJ4M3EtNHcyds0pgA
Code injection in Twig
Description
When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions.
Resolution
We now disallow calling non Closure in the sort filter like we already did for some other filters.
Credits
We would like to thank Marlon Starkloff for reporting the issue and Fabien Potencier for fixing the issue.
Permalink: https://github.com/advisories/GHSA-5mv2-rx3q-4w2vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01bXYyLXJ4M3EtNHcyds0pgA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 3 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-5mv2-rx3q-4w2v, CVE-2022-23614
References:
- https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
- https://nvd.nist.gov/vuln/detail/CVE-2022-23614
- https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9
- https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5
- https://lists.fedoraproject.org/archives/list/[email protected]/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/
- https://www.debian.org/security/2022/dsa-5107
- https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-23614.yaml
- https://symfony.com/blog/twig-security-release-disallow-non-closures-in-the-sort-filter
- https://github.com/advisories/GHSA-5mv2-rx3q-4w2v
Blast Radius: 45.1
Affected Packages
packagist:twig/twig
Dependent packages: 5,544Dependent repositories: 131,829
Downloads: 307,831,589 total
Affected Version Ranges: >= 3.0.0, < 3.3.8, >= 2.0.0, < 2.14.11
Fixed in: 3.3.8, 2.14.11
All affected versions: 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.9.0, 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.14.8, 2.14.9, 2.14.10, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7
All unaffected versions: 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.15.1, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.20.0, 1.21.0, 1.21.1, 1.21.2, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.26.0, 1.26.1, 1.27.0, 1.28.0, 1.28.1, 1.28.2, 1.29.0, 1.30.0, 1.31.0, 1.32.0, 1.33.0, 1.33.1, 1.33.2, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.34.4, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.35.4, 1.36.0, 1.37.0, 1.37.1, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.39.0, 1.39.1, 1.40.0, 1.40.1, 1.41.0, 1.42.0, 1.42.1, 1.42.2, 1.42.3, 1.42.4, 1.42.5, 1.43.0, 1.43.1, 1.44.0, 1.44.1, 1.44.2, 1.44.3, 1.44.4, 1.44.5, 1.44.6, 1.44.7, 2.14.11, 2.14.12, 2.14.13, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.15.6, 2.16.0, 3.3.8, 3.3.9, 3.3.10, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.9.3