A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
References
Link | Resource |
---|---|
https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077 | Patch Third Party Advisory |
https://seclists.org/bugtraq/2019/Mar/60 | Mailing List Third Party Advisory |
https://symfony.com/blog/twig-sandbox-information-disclosure | Patch Vendor Advisory |
https://www.debian.org/security/2019/dsa-4419 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-03-23T14:31:53
Updated: 2019-04-01T07:06:07
Reserved: 2019-03-23T00:00:00
Link: CVE-2019-9942
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-03-23T15:29:00.323
Modified: 2022-04-05T20:10:01.113
Link: CVE-2019-9942
JSON object: View
Redhat Information
No data.
CWE