vulnerability

Ubuntu: USN-5947-1 (CVE-2022-23614): Twig vulnerabilities

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Feb 4, 2022

Added

Mar 22, 2023

Modified

Mar 27, 2026

Description

Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.

Solution

ubuntu-pro-upgrade-php-twig

References

CVE-2022-23614
https://attackerkb.com/topics/CVE-2022-23614
CWE-74
CWE-94
DEBIAN-DSA-5107
EUVD-EUVD-2022-0842
UBUNTU-USN-5947-1
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-0842

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report