{"id":"USN-5947-1","summary":"php-twig, twig vulnerabilities","details":"Fabien Potencier discovered that Twig was not properly enforcing sandbox\npolicies when dealing with objects automatically cast to strings by PHP.\nAn attacker could possibly use this issue to expose sensitive information.\nThis issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.\n(CVE-2019-9942)\n\nMarlon Starkloff discovered that Twig was not properly enforcing closure\nconstraints in some of its array filtering functions. An attacker could\npossibly use this issue to execute arbitrary code. This issue was only\nfixed in Ubuntu 20.04 ESM. (CVE-2022-23614)\n\nDariusz Tytko discovered that Twig was not properly verifying input data\nutilized when defining pathnames used to access files in a system. An\nattacker could possibly use this issue to access unauthorized resources\nand expose sensitive information. (CVE-2022-39261)\n","modified":"2026-04-24T09:47:23.242727509Z","published":"2023-03-13T10:55:33Z","related":["UBUNTU-CVE-2019-9942","UBUNTU-CVE-2022-23614","UBUNTU-CVE-2022-39261"],"upstream":["CVE-2019-9942","CVE-2022-23614","UBUNTU-CVE-2019-9942","UBUNTU-CVE-2022-23614"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5947-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-9942"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-23614"}],"affected":[{"package":{"name":"twig","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/twig@1.23.1-1ubuntu4+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.23.1-1ubuntu4+esm1"}]}],"versions":["1.20.0-1","1.23.1-1ubuntu1","1.23.1-1ubuntu4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1.23.1-1ubuntu4+esm1","binary_name":"php-twig"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5947-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-9942"}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"twig","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/twig@2.4.6-1ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.6-1ubuntu0.1~esm1"}]}],"versions":["1.24.0-2ubuntu1","2.4.4-2ubuntu1","2.4.6-1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"2.4.6-1ubuntu0.1~esm1","binary_name":"php-twig"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5947-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-9942"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"php-twig","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/php-twig@2.12.5-1ubuntu0.1~esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.12.5-1ubuntu0.1~esm1"}]}],"versions":["2.11.3-2","2.12.1-1","2.12.2-1","2.12.3-1","2.12.5-1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"2.12.5-1ubuntu0.1~esm1","binary_name":"php-twig"},{"binary_version":"2.12.5-1ubuntu0.1~esm1","binary_name":"php-twig-cssinliner-extra"},{"binary_version":"2.12.5-1ubuntu0.1~esm1","binary_name":"php-twig-extra-bundle"},{"binary_version":"2.12.5-1ubuntu0.1~esm1","binary_name":"php-twig-html-extra"},{"binary_version":"2.12.5-1ubuntu0.1~esm1","binary_name":"php-twig-inky-extra"},{"binary_version":"2.12.5-1ubuntu0.1~esm1","binary_name":"php-twig-intl-extra"},{"binary_version":"2.12.5-1ubuntu0.1~esm1","binary_name":"php-twig-markdown-extra"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5947-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-23614"}],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}},{"package":{"name":"php-twig","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/php-twig@3.3.8-2ubuntu4+esm1?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.8-2ubuntu4+esm1"}]}],"versions":["3.3.2-1ubuntu3","3.3.4-1","3.3.6-1","3.3.7-1","3.3.8-2ubuntu4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"3.3.8-2ubuntu4+esm1","binary_name":"php-twig"},{"binary_version":"3.3.8-2ubuntu4+esm1","binary_name":"php-twig-cache-extra"},{"binary_version":"3.3.8-2ubuntu4+esm1","binary_name":"php-twig-cssinliner-extra"},{"binary_version":"3.3.8-2ubuntu4+esm1","binary_name":"php-twig-extra-bundle"},{"binary_version":"3.3.8-2ubuntu4+esm1","binary_name":"php-twig-html-extra"},{"binary_version":"3.3.8-2ubuntu4+esm1","binary_name":"php-twig-inky-extra"},{"binary_version":"3.3.8-2ubuntu4+esm1","binary_name":"php-twig-intl-extra"},{"binary_version":"3.3.8-2ubuntu4+esm1","binary_name":"php-twig-markdown-extra"},{"binary_version":"3.3.8-2ubuntu4+esm1","binary_name":"php-twig-string-extra"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5947-1.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:22.04:LTS"}}}],"schema_version":"1.7.5"}