GHSA-29gp-2c3m-3j6m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-29gp-2c3m-3j6m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29gp-2c3m-3j6m/GHSA-29gp-2c3m-3j6m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-29gp-2c3m-3j6m
- Aliases
- Published
- 2022-01-12T22:43:00Z
- Modified
- 2024-02-17T05:36:41.642347Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Sandbox Escape by math function in smarty
- Details
-
Impact
Template authors could run arbitrary PHP code by crafting a malicious math string. If a math string is passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string.
Patches
Please upgrade to 4.0.2 or 3.1.42 or higher.
References
See documentation on Math function.
For more information
If you have any questions or comments about this advisory please open an issue in the Smarty repo
- References
-
- https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m
- https://nvd.nist.gov/vuln/detail/CVE-2021-29454
- https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71
- https://github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-29454.yaml
- https://github.com/smarty-php/smarty
- https://github.com/smarty-php/smarty/releases/tag/v3.1.42
- https://github.com/smarty-php/smarty/releases/tag/v4.0.2
- https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI
- https://packagist.org/packages/smarty/smarty
- https://security.gentoo.org/glsa/202209-09
- https://www.debian.org/security/2022/dsa-5151
- https://www.smarty.net/docs/en/language.function.math.tpl
Affected packages
Packagist / smarty/smarty
Package
- Name
- smarty/smarty
- Purl
- pkg:composer/smarty/smarty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.1.42
Affected versions
v2.*
v2.6.24
v2.6.25
v2.6.26
v2.6.27
v2.6.28
v2.6.29
v2.6.30
v2.6.31
v2.6.33
v3.*
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.20
v3.1.21
v3.1.23
v3.1.24
v3.1.25
v3.1.26
v3.1.27
v3.1.28
v3.1.29
v3.1.30
v3.1.31
v3.1.32
v3.1.33
v3.1.34
v3.1.35
v3.1.36
v3.1.37
v3.1.37.1
v3.1.38
v3.1.39
v3.1.40
v3.1.41
Packagist / smarty/smarty
Package
- Name
- smarty/smarty
- Purl
- pkg:composer/smarty/smarty