Homepage
About Snyk

Path Traversal Affecting twig/twig package, versions >=1.0.0, <1.12.3

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-TWIGTWIG-7165691
  • published 30 May 2024
  • disclosed 30 May 2024
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 30 May 2024

New CVE NOT AVAILABLE CWE-22 Open this link in a new tab

How to fix?

Upgrade twig/twig to version 1.12.3 or higher.

Overview

twig/twig is a flexible, fast, and secure template language for PHP.

Affected versions of this package are vulnerable to Path Traversal through the filesystem loader. An attacker can access files outside of the intended directory by manipulating template names to include traversal sequences such as /../.

Note

This is only exploitable if the application uses non-trusted template names, such as those provided by an end-user.

References

CVSS Scores

version 3.1
Expand this section

Snyk

5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None