- 222/2022
- High
The Twig third-party library for content templating and sanitization has released a security update that affects Drupal versions (8.0.0 to 9.3.22, 9.4.0 to 9.4.7).
The severity of the addressed vulnerability could allow an untrusted user to access private files, the contents of other files on the server, or database credentials.
The remote attacker could exploit this vulnerability to traverse directories on the system, caused by improper validation of user input by the filesystem loader.
The Addressed Vulnerability:
Symfony Twig directory traversal (CVE-2022-39261):
• CVSS: 7.5
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Obtain Information
Note that All versions of Drupal 8 and 9 before 9.3.x are end-of-life and do not receive security coverage.
Vulnerabilities
- CVE-2022-39261
Mitigations
The enterprise should deploy the patch as soon as the testing phase is completed.