Candidate: CVE-2019-9942
PublicDate: 2019-03-23 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9942
 https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077
 https://symfony.com/blog/twig-sandbox-information-disclosure
Description:
 A sandbox information disclosure exists in Twig before 1.38.0 and 2.x
 before 2.7.0 because, under some circumstances, it is possible to call the
 __toString() method on an object even if not allowed by the security policy
 in place.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N [3.7 LOW]
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N [3.7 LOW]


Patches_twig:
 upstream: https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077
upstream_twig: released (2.6.2-2)
precise/esm_twig: DNE
trusty_twig: DNE
trusty/esm_twig: DNE
xenial_twig: not-affected (code not present)
bionic_twig: needed
cosmic_twig: ignored (reached end-of-life)
disco_twig: not-affected (2.6.2-2)
eoan_twig: DNE
focal_twig: DNE
groovy_twig: DNE
hirsute_twig: DNE
impish_twig: DNE
jammy_twig: DNE
devel_twig: DNE

Patches_php-twig:
upstream_php-twig: needs-triage
precise/esm_php-twig: DNE
trusty_php-twig: DNE
trusty/esm_php-twig: DNE
xenial_php-twig: DNE
bionic_php-twig: DNE
disco_php-twig: DNE
eoan_php-twig: not-affected (2.6.2-2)
focal_php-twig: not-affected (2.6.2-2)
groovy_php-twig: not-affected (2.6.2-2)
hirsute_php-twig: not-affected (2.6.2-2)
impish_php-twig: not-affected (2.6.2-2)
jammy_php-twig: not-affected (2.6.2-2)
devel_php-twig: not-affected (2.6.2-2)