
<div dir="ltr"><br><div class="gmail_quote"><br>View online: <a href="https://www.drupal.org/sa-core-2022-016" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2022-016</a><br>

<br>

Project: Drupal core [1]<br>

Date: 2022-September-28<br>

Security risk: *Critical* 18∕25<br>

AC:Basic/A:Admin/CI:All/II:All/E:Proof/TD:All [2]<br>

Vulnerability: Multiple vulnerabilities<br>

<br>

Affected versions: >= 8.0.0 <9.3.22 || >= 9.4.0 <9.4.7<br>

Description: <br>

Drupal uses the Twig [3] third-party library for content templating and<br>

sanitization. Twig has released a security update [4] that affects Drupal.<br>

Twig has rated the vulnerability as high severity.<br>

<br>

Drupal core's code extending Twig has also been updated to mitigate a related<br>

vulnerability.<br>

<br>

Multiple vulnerabilities are possible if an untrusted user has access to<br>

write Twig code, including potential unauthorized read access to private<br>

files, the contents of other files on the server, or database credentials.<br>

<br>

The vulnerability is mitigated by the fact that an exploit is only possible<br>

in Drupal core with a restricted access administrative permission. Additional<br>

exploit paths for the same vulnerability may exist with contributed or custom<br>

code that allows users to write Twig templates.<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

   * If you are using Drupal 9.4, update to Drupal 9.4.7 [5].<br>

   * If you are using Drupal 9.3, update to Drupal 9.3.22 [6].<br>

<br>

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive<br>

security coverage. Note that Drupal 8 has reached its end of life [7].<br>

<br>

Drupal 7 core does not include Twig and therefore is not affected.<br>

<br>

Reported By: <br>

   * Fabien Potencier [8]<br>

   * Nicolas Grekas [9]<br>

   * James Williams [10]<br>

<br>

Fixed By: <br>

   * xjm [11] of the Drupal Security Team<br>

   * Alex Pott [12] of the Drupal Security Team<br>

   * Sascha Grossenbacher [13]<br>

   * Lee Rowlands [14] of the Drupal Security Team<br>

   * Lauri Eskola [15], provisional member of the Drupal Security Team<br>

   * Nathaniel Catchpole [16] of the Drupal Security Team<br>

   * Dave Long [17], provisional member of the Drupal Security Team<br>

   * cilefen  [18] of the Drupal Security Team<br>

   * James Williams [19]<br>

   * Benji Fisher [20], provisional member of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://twig.symfony.com/" rel="noreferrer" target="_blank">https://twig.symfony.com/</a><br>

[4]<br>

<a href="https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader" rel="noreferrer" target="_blank">https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader</a><br>

[5] <a href="https://www.drupal.org/project/drupal/releases/9.4.7" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.4.7</a><br>

[6] <a href="https://www.drupal.org/project/drupal/releases/9.3.22" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.3.22</a><br>

[7] <a href="https://www.drupal.org/psa-2021-06-29" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2021-06-29</a><br>

[8] <a href="https://www.drupal.org/user/1467782" rel="noreferrer" target="_blank">https://www.drupal.org/user/1467782</a><br>

[9] <a href="https://www.drupal.org/user/3407972" rel="noreferrer" target="_blank">https://www.drupal.org/user/3407972</a><br>

[10] <a href="https://www.drupal.org/user/592268" rel="noreferrer" target="_blank">https://www.drupal.org/user/592268</a><br>

[11] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65776</a><br>

[12] <a href="https://www.drupal.org/user/157725" rel="noreferrer" target="_blank">https://www.drupal.org/user/157725</a><br>

[13] <a href="https://www.drupal.org/user/214652" rel="noreferrer" target="_blank">https://www.drupal.org/user/214652</a><br>

[14] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><br>

[15] <a href="https://www.drupal.org/user/1078742" rel="noreferrer" target="_blank">https://www.drupal.org/user/1078742</a><br>

[16] <a href="https://www.drupal.org/user/35733" rel="noreferrer" target="_blank">https://www.drupal.org/user/35733</a><br>

[17] <a href="https://www.drupal.org/user/246492" rel="noreferrer" target="_blank">https://www.drupal.org/user/246492</a><br>

[18] <a href="https://www.drupal.org/user/1850070" rel="noreferrer" target="_blank">https://www.drupal.org/user/1850070</a><br>

[19] <a href="https://www.drupal.org/user/592268" rel="noreferrer" target="_blank">https://www.drupal.org/user/592268</a><br>

[20] <a href="https://www.drupal.org/user/683300" rel="noreferrer" target="_blank">https://www.drupal.org/user/683300</a><br>

<br>

_______________________________________________<br>

Security-news mailing list<br>

<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br clear="all"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div>

</div></div>