CVE-2022-39261: Twig directory traversal flaw affects Drupal core

The Drupal security team has released a “critical” advisory to call attention to the severe vulnerability in a third-party library and warned that hackers could exploit the bugs to read access to private files, the contents of other files on the server, or database credentials Drupal-powered websites.

The vulnerability, tracked as CVE-2022-39261, was found and fixed in Twig, a third-party library that is both designer and developer friendly by sticking to PHP’s principles and adding functionality useful for templating environments.

“Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity. Drupal core’s code extending Twig has also been updated to mitigate a related vulnerability,” read the Drupal advisory.

Drupal warns that the bugs may affect some contributed projects or custom code on Drupal sites.

CVE-2022-39261 was caused by improper validation of user input by the filesystem loader. An attacker could use a specially-crafted template containing source or include statement in the name to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

The security team recommends its users install the patched versions (Drupal 9.3.22 or Drupal 9.4.7). All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage.