CVE-2017-7497 is a bug in the Twig template engine. When parsing template code, Twig failed to correctly validate parameters. This could have allowed an attacker to supply arbitrary PHP code to be executed, possibly allowing for a number of attacks. Twig is an open source web development framework written in PHP. When in a sandboxed or non-extended mode, Twig `sort` filters must be invoked using Closure and not function syntax, as is the case for some other filter types. In affected versions, this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now enforce the Closure parameter type in `sort` filters. Users are advised to upgrade.

Vulnerability Highlights:

- CVE-2017-7497 is a bug in the Twig template engine.
- When parsing template code, Twig failed to correctly validate parameters.
- This could have allowed an attacker to supply arbitrary PHP code to be executed.
- In affected versions, this constraint was not properly enforced and could lead to code injection of arbitrary PHP code.
Patched versions now enforce the Closure parameter type in `sort` filters. Users are advised to upgrade.

References:

1.
CVE-2022-23614
2.
CVE-2017-7497
3.
CVE Notice

Bug details:

- CVE-2017-7497 : Bug in Twig template engine. When parsing template code, Twig failed to correctly validate parameters. This could have allowed an attacker to supply arbitrary PHP code to be executed, possibly allowing for a number of attacks
- Patched versions now enforce the Closure parameter type in `sort` filters

Timeline

Published on: 02/04/2022 23:15:00 UTC
Last modified on: 04/18/2022 19:34:00 UTC

References