ken-duck
commented
2 years ago Sorry for the delay. OSS Index does not have a built in way to easily delete vulnerabilities which still exist in NVD (at this time). Instead I have made the affected version to be all those below version 0, which means it won't show on queries.
The change should be in the public database by sometime tomorrow.
Vulnerability URL Provide the URL to the vulnerability. For example:
Component URL Provide the URL to the component. For example:
Description The person that raised this bug, unfortunately does not appear to understand how Twig, which is a templating engine works. Twig allows for the dynamic expansion of variables into a web (or other) page, e.g.
Would yield: "hello Dave" if the variable
$namehad the value "Dave".Part of the macro expansion is that Twi can do maths.
The person was surprised that a web page with the content:
Would resolve to:
http://localhost/search?search_key=16And further they think that this would yield a system
lscommand:It wouldn't! It also shows they do not know how to use Twig. What that would yield is the value of the variable
$ls, which most likely would benull(blank string).See this: https://www.exploit-db.com/exploits/44102
So, to summarise, there is absolutely no such vulnerability, which is why the Github Issue was closed on the day it was opened: https://github.com/twigphp/Twig/issues/2743
Further investigation was undertaken here: https://github.com/picocms/Pico/issues/513
Where the result was that the bug report was a "false warning/exploit.", which is correct.