Home > Vulnerability Database > CVE-2022-23614

Mend.io Vulnerability Database

CVE-2022-23614

Good to know:

Date: February 4, 2022

Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.

Language: PHP

Severity Score

8.8

Related Resources (23)

Url: https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO/

Url: https://github.com/twigphp/Twig

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7

Url: https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7/

Url: https://security-tracker.debian.org/tracker/CVE-2022-23614

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7/

Url: https://symfony.com/blog/twig-security-release-disallow-non-closures-in-the-sort-filter

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-23614.yaml

Url: https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-23614

Url: https://www.debian.org/security/2022/dsa-5107

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2022-23614

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD/

Url: https://www.mend.io/vulnerability-database/CVE-2022-23614

Severity Score

8.8

Weakness Type (CWE)

Code Injection

CWE-94

Injection

CWE-74

Top Fix

Upgrade Version

Upgrade to version v2.14.11,v3.3.8

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-23614

Good to know:

Date: February 4, 2022

Language: PHP

Severity Score

Related Resources (23)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?