Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (twig/twig-v2.15.2 version) |
Remediation Possible** |
| CVE-2024-45411 |
 High |
8.5 |
twig/twig-v2.15.2 |
Direct |
twig/twig-v1.44.8,v2.16.1,v3.14.0 |
❌ |
| CVE-2022-39261 |
High |
7.5 |
twig/twig-v2.15.2 |
Direct |
twig/twig - v3.4.3,twig/twig - v2.15.3,twig/twig - v1.44.7 |
❌ |
| CVE-2024-51755 |
 Low |
2.2 |
twig/twig-v2.15.2 |
Direct |
twig/twig-3.11.2,3.14.1 |
❌ |
| CVE-2024-51754 |
Low |
2.2 |
twig/twig-v2.15.2 |
Direct |
twig/twig-3.11.2,3.14.1 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-45411
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
Publish Date: 2024-09-09
URL: CVE-2024-45411
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-6j75-5wfj-gh66
Release Date: 2024-09-09
Fix Resolution: twig/twig-v1.44.8,v2.16.1,v3.14.0
Step up your Open Source Security Game with Mend here
CVE-2022-39261
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the "source" or "include" statement to read arbitrary files from outside the templates' directory when using a namespace like "@somewhere/../some.file". In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Publish Date: 2022-09-28
URL: CVE-2022-39261
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-52m2-vc4m-jj33
Release Date: 2022-09-28
Fix Resolution: twig/twig - v3.4.3,twig/twig - v2.15.3,twig/twig - v1.44.7
Step up your Open Source Security Game with Mend here
CVE-2024-51755
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the "__isset()" method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51755
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-51755
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here
CVE-2024-51754
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
- ❌ twig/twig-v2.15.2 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can call "__toString()" on an object even if the "__toString()" method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51754
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-6377-hfv9-hqf6
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
Publish Date: 2024-09-09
URL: CVE-2024-45411
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6j75-5wfj-gh66
Release Date: 2024-09-09
Fix Resolution: twig/twig-v1.44.8,v2.16.1,v3.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the "source" or "include" statement to read arbitrary files from outside the templates' directory when using a namespace like "@somewhere/../some.file". In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Publish Date: 2022-09-28
URL: CVE-2022-39261
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-52m2-vc4m-jj33
Release Date: 2022-09-28
Fix Resolution: twig/twig - v3.4.3,twig/twig - v2.15.3,twig/twig - v1.44.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the "__isset()" method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51755
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-51755
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v2.15.2
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3e43405a9a8b578809426339cc3780e16fba0c52
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can call "__toString()" on an object even if the "__toString()" method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51754
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6377-hfv9-hqf6
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here