Updates announced for Drupal this week address a severe vulnerability in Twig that could leak sensitive information.
Drupal is an open-source PHP-based web content management system that has used Twig as the default modeling engine since Drupal 8, which was first released in November 2015.
Tracked as CVE-2022-39261, the vulnerability could allow an attacker to load models outside of a configured directory, via the filesystem loader.
“When using the filesystem loader to load templates for which the name is user input, it is possible to use the ‘source’ or ‘include’ statement to read arbitrary files outside of the templates directory when using a namespace like ‘@somewhere/ ../some.file’ (in this case validation is skipped)”, Twig explains.
The vulnerability was assigned a severity rating of “high” or “critical” based on the rating system used by Drupal. Twig fixed the flaw with the release of versions 1.44.7, 2.15.3, and 3.4.3.
“Several vulnerabilities are possible if an untrusted user gains access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or credentials. database,” notes Drupal in a advisory.
The security flaw is mitigated by the fact that an attacker requires restricted access administrative permission to exploit the vulnerability. However, Drupal notes that contributed or custom code that allows users to write Twig templates can create additional exploitation paths.
Drupal fixed the vulnerability with the release of Drupal 9.4.7 and Drupal 9.3.22. While end-of-life versions prior to Drupal 9.3 will not receive a patch, core iterations of Drupal 7 are unaffected, as they do not include Twig.
This week, Drupal also announced a patch for S3 filesystem, to resolve an access bypass issue. The module, which is supposed to allow S3 compatible storage to be used as a Drupal file system, fails to “sufficiently prevent access to files across multiple file system schemes stored in the same bucket”.
“This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary file paths, the site must have a public or private takeover enabled, and the file metadata cache must be bypassed,” notes Drupal.
Users relying on the S3 File System Module for Drupal 7.x are advised to update to version 7.x-2.14 of the module, which addresses the vulnerability.