Updates announced for Drupal this week address a severe vulnerability in Twig that could lead to the leakage of sensitive information.
Drupal is a PHP-based open source web content management system that has been using Twig as its default templating engine since Drupal 8, which was first released in November 2015.
Tracked as CVE-2022-39261, the vulnerability could allow an attacker to load templates outside a configured directory, via the filesystem loader.
“When using the filesystem loader to load templates for which the name is a user input, it is possible to use the ‘source’ or ‘include’ statement to read arbitrary files from outside the templates directory when using a namespace like ‘@somewhere/../some.file’ (in such a case, validation is bypassed),” Twig explains.
The vulnerability has been assigned a ‘high’ severity rating, or ‘critical’ based on the scoring system used by Drupal. Twig has addressed the flaw with the release of versions 1.44.7, 2.15.3, and 3.4.3.
“Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials,” Drupal notes in an advisory.
The security flaw is mitigated by the fact that an attacker requires a restricted access administrative permission to exploit the vulnerability. However, Drupal notes that contributed or custom code allowing users to write Twig templates may create additional exploit paths.
Drupal addressed the vulnerability with the release of Drupal 9.4.7 and Drupal 9.3.22. While end-of-life versions prior to Drupal 9.3 will not receive a patch, Drupal 7 core iterations are not affected, as they do not include Twig.
This week, Drupal also announced a patch for the S3 File System, to resolve an access bypass issue. The module, which is meant to allow S3-compatible storage to be used as a Drupal filesystem, fails to “sufficiently prevent file access across multiple filesystem schemes stored in the same bucket”.
“This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary file paths, the site must have public or private takeover enabled, and the file metadata cache must be ignored,” Drupal notes.
Users who rely on the S3 File System module for Drupal 7.x are advised to update to version 7.x-2.14 of the module, which resolves the vulnerability.
Related: Drupal Updates Patch Another Vulnerability Related to Archive Files
Related: Access Bypass, Data Overwrite Vulnerabilities Patched in Drupal
Related: Code Execution and Other Vulnerabilities Patched in Drupal