CVE-2019-9942 (Low) detected in twig/twig-v2.5.0

Question

CVE-2019-9942 (Low) detected in twig/twig-v2.5.0

mend-bolt-for-github opened this issue 6 years ago · 0 comments

mend-bolt-for-github commented 6 years ago

CVE-2019-9942 - Low Severity Vulnerability

Vulnerable Library - twig/twig-v2.5.0

Twig, the flexible, fast, and secure template language for PHP

Dependency Hierarchy:

❌ twig/twig-v2.5.0 (Vulnerable Library)

Found in HEAD commit: ef456077a376cdd28e3b2d265140fd70248ba2df

Vulnerability Details

A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.

Publish Date: 2019-03-23

URL: CVE-2019-9942

CVSS 3 Score Details (3.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9942

Release Date: 2019-03-23

Fix Resolution: v2.7.0

Step up your Open Source Security Game with WhiteSource here