====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN367
_____________________________________________________________________

DATE                : 11/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Twig versions prior to 1.44.8,
                                    2.16.1, 3.14.0.

===================================================================== 
https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66
_____________________________________________________________________

Possible sandbox bypass
High
fabpot published GHSA-6j75-5wfj-gh66 Sep 9, 2024


Package
twig/twig (Composer)

Affected versions
>1.0.0,<=1.44.7 || >2.0.0,<=2.16.0 || >3.0.0,<=3.11.0 || 
>=3.12.0,<3.14.0

Patched versions
1.44.8,2.16.1,3.14.0


Description

Description

Under some circumstances, the sandbox security checks are not run
which allows user-contributed templates to bypass the sandbox
restrictions.

The security issue happens when all these conditions are met:

     The sandbox is disabled globally;
     The sandbox is enabled via a sandboxed include() function which
references a template name (like included.twig) and not a Template
or TemplateWrapper instance;
     The included template has been loaded before the include() call
but in a non-sandbox context (possible as the sandbox has been
globally disabled).


Resolution

The patch ensures that the sandbox security checks are always run at
runtime.


Credits

We would like to thank Fabien Potencier for reporting and fixing the
issue.


Severity
High

CVE ID
CVE-2024-45411

Weaknesses
No CWEs


Credits

     @fabpot fabpot Finder


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================