House › Vulnerabilities

Drupal Updates Patch Vulnerability in Twig Template Engine

By Ionut Arghire on September 29, 2022

Tweet

Updates introduced for Drupal this week handle a extreme vulnerability in Twig that might result in the leakage of delicate data.

Drupal is a PHP-based open supply net content material administration system that has been utilizing Twig as its default templating engine since Drupal 8, which was first launched in November 2015.

Tracked as CVE-2022-39261, the vulnerability may enable an attacker to load templates exterior a configured listing, through the filesystem loader.

“When utilizing the filesystem loader to load templates for which the identify is a consumer enter, it’s attainable to make use of the ‘supply’ or ‘embody’ assertion to learn arbitrary recordsdata from exterior the templates listing when utilizing a namespace like ‘@someplace/../some.file’ (in such a case, validation is bypassed),” Twig explains.

The vulnerability has been assigned a ‘excessive’ severity score, or ‘crucial’ based mostly on the scoring system utilized by Drupal. Twig has addressed the flaw with the discharge of variations 1.44.7, 2.15.3, and three.4.3.

“A number of vulnerabilities are attainable if an untrusted consumer has entry to write down Twig code, together with potential unauthorized learn entry to personal recordsdata, the contents of different recordsdata on the server, or database credentials,” Drupal notes in an advisory.

The safety flaw is mitigated by the truth that an attacker requires a restricted entry administrative permission to use the vulnerability. Nonetheless, Drupal notes that contributed or customized code permitting customers to write down Twig templates could create extra exploit paths.

Drupal addressed the vulnerability with the discharge of Drupal 9.4.7 and Drupal 9.3.22. Whereas end-of-life variations previous to Drupal 9.Three won’t obtain a patch, Drupal 7 core iterations are usually not affected, as they don’t embody Twig.

This week, Drupal additionally introduced a patch for the S3 File System, to resolve an entry bypass subject. The module, which is supposed to permit S3-compatible storage for use as a Drupal filesystem, fails to “sufficiently stop file entry throughout a number of filesystem schemes saved in the identical bucket”.

“This vulnerability is mitigated by the truth that an attacker should get hold of a technique to entry arbitrary file paths, the positioning should have public or non-public takeover enabled, and the file metadata cache have to be ignored,” Drupal notes.

Customers who depend on the S3 File System module for Drupal 7.x are suggested to replace to model 7.x-2.14 of the module, which resolves the vulnerability.

Associated: Drupal Updates Patch One other Vulnerability Associated to Archive Recordsdata

Associated: Entry Bypass, Knowledge Overwrite Vulnerabilities Patched in Drupal

Associated: Code Execution and Different Vulnerabilities Patched in Drupal

Get the Day by day Briefing

• Most Current
• Most Learn

• NSA Cyber Specialist, Military Physician Charged in US Spying Instances
• North Korean Gov Hackers Caught Rigging Legit Software program
• Traders Wager on Ox Safety to Guard Software program Provide Chains
• Extra Than Half of Safety Professionals Say Dangers Larger in Cloud Than On Premise
• Particulars Disclosed After Schneider Electrical Patches Important Flaw Permitting PLC Hacking
• Australia Flags Powerful New Knowledge Safety Legal guidelines This 12 months
• Drupal Updates Patch Vulnerability in Twig Template Engine
• Hackers Probably From China Utilizing New Technique to Deploy Persistent ESXi Backdoors
• Auth0 Finds No Breach Following Supply Code Compromise
• Multi-Cloud Networks Require Cloud-Native Safety

On the lookout for Malware in All of the Incorrect Locations?

First Step For The Web’s subsequent 25 years: Including Safety to the DNS

Tattle Story: What Your Pc Says About You

Be in a Place to Act By means of Cyber Situational Consciousness

Report Reveals Closely Regulated Industries Letting Social Networking Apps Run Rampant

2010, A Nice 12 months To Be a Scammer.

Do not Let DNS be Your Single Level of Failure

The way to Determine Malware in a Blink

Defining and Debating Cyber Warfare

The 5 A’s that Make Cybercrime so Enticing

The way to Defend In opposition to DDoS Assaults

Safety Budgets Not in Line with Threats

Anycast – Three Causes Why Your DNS Community Ought to Use It

The Evolution of the Prolonged Enterprise: Safety Methods for Ahead Pondering Organizations

Utilizing DNS Throughout the Prolonged Enterprise: It’s Dangerous Enterprise

Orbit Brain

https://orbitbrain.com/

Orbit Brain is the senior science writer and technology expert. Our aim provides the best information about technology and web development designing SEO graphics designing video animation tutorials and how to use software easy ways
and much more. Like Best Service Latest Technology, Information Technology, Personal Tech Blogs, Technology Blog Topics, Technology Blogs For Students, Futurism Blog.