CVE-2024-51754

Publication date 6 November 2024

Last updated 13 November 2024


Ubuntu priority

Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue.

Status

Package Ubuntu Release Status
php-twig 24.10 oracular
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
twig 24.10 oracular Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation