CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
88.6%
When in a sandbox mode, the arrow
parameter of the sort
filter must be a closure to avoid attackers being able to run arbitrary PHP functions.
We now disallow calling non Closure in the sort
filter like we already did for some other filters.
We would like to thank Marlon Starkloff for reporting the issue and Fabien Potencier for fixing the issue.
github.com/advisories/GHSA-5mv2-rx3q-4w2v
github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-23614.yaml
github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9
github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5
github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
lists.fedoraproject.org/archives/list/[email protected]/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO/
lists.fedoraproject.org/archives/list/[email protected]/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7/
lists.fedoraproject.org/archives/list/[email protected]/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ/
lists.fedoraproject.org/archives/list/[email protected]/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/
nvd.nist.gov/vuln/detail/CVE-2022-23614
symfony.com/blog/twig-security-release-disallow-non-closures-in-the-sort-filter
www.debian.org/security/2022/dsa-5107
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
88.6%