#VU102072 Protection Mechanism Failure in Twig - CVE-2024-45411


Vulnerability identifier: #VU102072

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-45411

CWE-ID: CWE-693

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Twig
Web applications / CMS

Vendor: Symfony

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to sandbox security checks are not run under some circumstances. An attacker can bypass the sandbox restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Twig: before 1.44.8, 2.16.1, 3.14.0, 1.44.8, 1.44.8, 1.44.8

External links
https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6
https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de
https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for php-twig
Debian update for php-twig
Multiple vulnerabilities in IBM API Connect
Protection Mechanism Failure in twigphp Twig