Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5947-1 advisory.

  - A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some     circumstances, it is possible to call the __toString() method on an object even if not allowed by the     security policy in place. (CVE-2019-9942)

  - Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the     `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected     versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code.
    Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other     filters. Users are advised to upgrade. (CVE-2022-23614)

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-1695454935 advisory.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 35 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-4490a4772d advisory.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 35 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-d39b2a755b advisory.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-9d8ee4a6de advisory.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3147 advisory.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5248 advisory.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.3.x prior to 9.3.22 or 9.4.x prior to 9.4.7. Drupal uses the Twig third-party library for content templating and sanitization. Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.3.x prior to 9.3.22 or 9.4.x prior to 9.4.7. It is, therefore, affected by a vulnerability.

  - Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to     3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It     is possible to use the `source` or `include` statement to read arbitrary files from outside the templates'     directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed.
    Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known     workarounds aside from upgrading. (CVE-2022-39261)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
172497	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : Twig vulnerabilities (USN-5947-1)	Nessus	Ubuntu Local Security Checks	critical
169259	Fedora 36 : php-twig (2022-1695454935)	Nessus	Fedora Local Security Checks	high
169247	Fedora 35 : php-twig (2022-4490a4772d)	Nessus	Fedora Local Security Checks	high
169157	Fedora 35 : php-twig2 (2022-d39b2a755b)	Nessus	Fedora Local Security Checks	high
169150	Fedora 36 : php-twig2 (2022-9d8ee4a6de)	Nessus	Fedora Local Security Checks	high
166040	Debian DLA-3147-1 : twig - LTS security update	Nessus	Debian Local Security Checks	high
165714	Debian DSA-5248-1 : php-twig - security update	Nessus	Debian Local Security Checks	high
113380	Drupal 9.3.x < 9.3.22 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	high
113379	Drupal 9.4.x < 9.4.7 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	high
165520	Drupal 9.3.x < 9.3.22 / 9.4.x < 9.4.7 Drupal Vulnerability (SA-CORE-2022-016)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2022-39261

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high