First published: Fri Feb 04 2022(Updated: )
# Description When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. # Resolution We now disallow calling non Closure in the `sort` filter like we already did for some other filters. # Credits We would like to thank Marlon Starkloff for reporting the issue and Fabien Potencier for fixing the issue.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/twig/twig | >=2.0.0<2.14.11>=3.0.0<3.3.8 | |
debian/php-twig | 2.14.3-1+deb11u2 3.5.1-1 3.7.1-1 | |
debian/twig | 2.6.2-2 2.6.2-2+deb10u1 | |
Symfony Twig | >=2.0.0<2.14.11 | |
Symfony Twig | >=3.0.0<3.3.8 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Debian Debian Linux | =11.0 | |
composer/twig/twig | >=3.0.0<3.3.8 | 3.3.8 |
composer/twig/twig | >=2.0.0<2.14.11 | 2.14.11 |
>=2.0.0<2.14.11 | ||
>=3.0.0<3.3.8 | ||
=34 | ||
=35 | ||
=11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2022-23614.
The title of this vulnerability is "Disallow non closures in the sort filter".
The affected software is Twig.
Twig versions 2.0.0 to 2.14.11 and 3.0.0 to 3.3.8 are affected.
You can find more information about this vulnerability at the following link: [Twig Security Release](https://symfony.com/blog/twig-security-release-disallow-non-closures-in-the-sort-filter)