CVE-2022-23614 (High) detected in twig/twig-v3.0.1

[mend-bolt-for-github]

CVE-2022-23614 - High Severity Vulnerability

Vulnerable Library - twig/twig-v3.0.1

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/28f856a4c57eeb24485916e8a68403f41a133616

Dependency Hierarchy:

• ❌ twig/twig-v3.0.1 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twig is an open source template language for PHP. When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the sort filter as is the case for some other filters. Users are advised to upgrade.

Publish Date: 2022-02-04

URL: CVE-2022-23614

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-23614

Release Date: 2022-02-04

Fix Resolution: v2.14.11,v3.3.8

---

Step up your Open Source Security Game with WhiteSource here