twig/twig is vulnerable to path traversal. The vulnerability exists in findTemplate
function of FilesystemLoader.php
because the template loading directories are not properly configured which allows an attacker to load templates outside the configured directory.
github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
github.com/twigphp/Twig/commit/f8009347c438bef22ef0603ab3d3ccb44bb10bed
github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
lists.debian.org/debian-lts-announce/2022/10/msg00016.html
lists.fedoraproject.org/archives/list/[email protected]/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
lists.fedoraproject.org/archives/list/[email protected]/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
lists.fedoraproject.org/archives/list/[email protected]/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
lists.fedoraproject.org/archives/list/[email protected]/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
lists.fedoraproject.org/archives/list/[email protected]/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
lists.fedoraproject.org/archives/list/[email protected]/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
www.debian.org/security/2022/dsa-5248
www.drupal.org/sa-core-2022-016