Twig Template Language Vulnerability Affects Sandbox Security
CVE-2024-45411

8.6HIGH

Key Information:

Vendor

TwigPHP

Status
Twig
Vendor
CVE Published:
9 September 2024

What is CVE-2024-45411?

Twig, the popular template language for PHP, contains a vulnerability that compromises sandbox security checks under specific conditions. This flaw enables user-contributed templates to bypass the intended sandbox restrictions, potentially allowing untrusted input to execute arbitrary code in a restricted environment. The issue affects versions of Twig prior to 1.44.8, 2.16.1, and 3.14.0, necessitating prompt updates to mitigate possible security risks.

Affected Version(s)

Twig > 1.0.0, < 1.44.8 > 1.0.0, 1.44.8

Twig > 2.0.0, < 2.16.1 > 2.0.0, 2.16.1

Twig > 3.0.0, < 3.14.0 > 3.0.0, 3.14.0

References

https://github.com/twigphp/Twig/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf6...
x_refsource_MISC
https://github.com/twigphp/Twig/commit/2102dd135986db7919...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.