CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
71.1%
Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity. Drupal core’s code extending Twig has also been updated to mitigate a related vulnerability. Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials. The vulnerability is mitigated by the fact that an exploit is only possible in Drupal core with a restricted access administrative permission. Additional exploit paths for the same vulnerability may exist with contributed or custom code that allows users to write Twig templates.
symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader
twig.symfony.com/
www.drupal.org/project/drupal/releases/9.3.22
www.drupal.org/project/drupal/releases/9.4.7
www.drupal.org/psa-2021-06-29
www.drupal.org/user/1078742
www.drupal.org/user/1467782
www.drupal.org/user/157725
www.drupal.org/user/1850070
www.drupal.org/user/214652
www.drupal.org/user/246492
www.drupal.org/user/2582268
www.drupal.org/user/3407972
www.drupal.org/user/3509746
www.drupal.org/user/35733
www.drupal.org/user/3709704
www.drupal.org/user/395439
www.drupal.org/user/592268
www.drupal.org/user/65776
www.drupal.org/user/683300