CVE-2022-23614 (High) detected in twig/twig-2.x-dev - autoclosed
mend-bolt-for-github opened this issue · 1 comments
CVE-2022-23614 - High Severity Vulnerability
Vulnerable Library - twig/twig-2.x-dev
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/c953a77b23d10c47d2b7e5ad0d062e690bd647c9
Dependency Hierarchy:
- ❌ twig/twig-2.x-dev (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Twig is an open source template language for PHP. When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the sort filter as is the case for some other filters. Users are advised to upgrade.
Publish Date: 2022-02-04
URL: CVE-2022-23614
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-23614
Release Date: 2022-02-04
Fix Resolution: v2.14.11,v3.3.8
Step up your Open Source Security Game with Mend here
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.