CVE-2024-51754
php-twig - security update
2.2
LOW
CVSS 3.1
EPSS 0.14%
Description
Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.
How to fix CVE-2024-51754
To remediate CVE-2024-51754, upgrade the affected package to a fixed version below.
- —upgrade to 2.14.3-1+deb11u4 or later
- —upgrade to 2.14.3-1+deb11u4 or later
- —upgrade to 3.11.2 or later
Is CVE-2024-51754 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.14.3-1+deb11u4
- from 0, < 2.14.3-1+deb11u4
- from 0, < 3.11.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | LOW2.2 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N |