symfony/twig-bundle-v6.2.7: 5 vulnerabilities (highest severity is: 8.5) #606
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - twig/twig-v3.5.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/a6e0510cc793912b451fd40ab983a1d28f611c15
Dependency Hierarchy:
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Found in base branch: develop
Vulnerability Details
Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.
Publish Date: 2024-09-09
URL: CVE-2024-45411
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6j75-5wfj-gh66
Release Date: 2024-09-09
Fix Resolution: twig/twig-v1.44.8,v2.16.1,v3.14.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/twig-bridge-v6.2.8
Provides integration for Twig with various Symfony components
Library home page: https://api.github.com/repos/symfony/twig-bridge/zipball/30e3ad6ae749b2d2700ecf9b4a1a9d5c96b18927
Dependency Hierarchy:
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Found in base branch: develop
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use
is_safe=htmlbut don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.Publish Date: 2023-11-10
URL: CVE-2023-46734
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-46734
Release Date: 2023-11-10
Fix Resolution: v4.4.51,v5.4.31,v6.3.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/http-foundation-v6.2.8
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/511a524affeefc191939348823ac75e9921c2112
Dependency Hierarchy:
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Found in base branch: develop
Vulnerability Details
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50345
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mrqx-rp3w-jpjp
Release Date: 2024-11-06
Fix Resolution: symfony/http-foundation - v5.4.46,v6.4.14,v7.1.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v3.5.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/a6e0510cc793912b451fd40ab983a1d28f611c15
Dependency Hierarchy:
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Found in base branch: develop
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the "__isset()" method is now called after the security check. This is a BC break. This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51755
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-51755
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - twig/twig-v3.5.1
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/a6e0510cc793912b451fd40ab983a1d28f611c15
Dependency Hierarchy:
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Found in base branch: develop
Vulnerability Details
Twig is a template language for PHP. In a sandbox, an attacker can call "__toString()" on an object even if the "__toString()" method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-11-06
URL: CVE-2024-51754
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6377-hfv9-hqf6
Release Date: 2024-11-06
Fix Resolution: twig/twig-3.11.2,3.14.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: