Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-45411

Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.

Published

2024-09-09T19:15:13.543

Last Modified

2024-11-21T09:37:44.680

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.5 (HIGH)

Weaknesses

Type: Secondary
CWE-693
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	symfony	twig	< 1.44.8	Yes
Application	symfony	twig	< 2.16.1	Yes
Application	symfony	twig	< 3.14.0	Yes

References

https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6 Patch ([email protected])
https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de Patch ([email protected])
https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233 Patch ([email protected])
https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66 Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2024/09/msg00031.html (af854a3a-2127-422b-91ae-364da2661108)