Sandbox Information Disclosure in Twig by Symfony
CVE-2019-9942

3.7LOW

Key Information:

Vendor
Symfony
Status
Twig
Vendor
CVE Published:
23 March 2019

Summary

A sandbox information disclosure vulnerability was identified in the Twig templating engine, which permits unauthorized access to object data under specific conditions. This occurs when the __toString() method is invoked on an object, circumventing existing security policies. The issue affects versions of Twig prior to 1.38.0 for the 1.x series and 2.7.0 for the 2.x series. It is crucial for developers using these versions to implement the necessary updates to safeguard against potential data exposure.

References

https://symfony.com/blog/twig-sandbox-information-disclosure
x_refsource_MISC
https://github.com/twigphp/Twig/commit/eac5422956e1dcca89...
x_refsource_MISC
https://www.debian.org/security/2019/dsa-4419
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.