Lucene search

Veracode Vulnerability DatabaseVERACODE:34158

HistoryFeb 12, 2022 - 8:15 a.m.

Remote Code Execution (RCE)

2022-02-1208:15:05

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

twig

sandbox mode

remote code execution

EPSS

0.019

Percentile

88.6%

JSON

Twig is vulnerable to remote code execution. When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions.

References

github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9

github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5

github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v

lists.fedoraproject.org/archives/list/[email protected]/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO/

lists.fedoraproject.org/archives/list/[email protected]/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7/

lists.fedoraproject.org/archives/list/[email protected]/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ/

lists.fedoraproject.org/archives/list/[email protected]/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/

security-tracker.debian.org/tracker/CVE-2022-23614

www.debian.org/security/2022/dsa-5107

EPSS

0.019

Percentile

88.6%

JSON

Related for VERACODE:34158