twig/twig CVE-2024-45411

Created on 11 September 2024, 5 months ago

Problem/Motivation

https://github.com/advisories/GHSA-6j75-5wfj-gh66 Twig has a possible sandbox bypass

Steps to reproduce

run composer audit

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | twig/twig |
| Severity | high |
| CVE | CVE-2024-45411 |
| Title | Twig has a possible sandbox bypass |
| URL | https://github.com/advisories/GHSA-6j75-5wfj-gh66 |
| Affected versions | >=3.0.0,<3.11.1|>=3.12.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8 |
| Reported at | 2024-09-09T20:19:26+00:00 |
+-------------------+-----------------------------------

Proposed resolution

drupal core 10.3.3 shipped with "twig/twig": "^3.9.3"
update to ^3.14.0

🐛 Bug report

Status

Closed: duplicate

Version

10.3 ✨

Component

Markup →

Last updated 3 months ago

No maintainer

Created by

🇦🇺Australia taggartj

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Comments & Activities

Issue created by @taggartj
Status changed to Closed: duplicate 5 months ago6:05am 11 September 2024
Comment 5 months ago →
🇳🇿New Zealand quietone
@taggartj, thanks. But this is already reported and fixes waiting to be committed. Please, remember to search the issue before creating an issue. Thanks

Duplicate of 📌 twig/twig has a possible sandbox bypass RTBC

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024