CVE-2022-29221

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:smarty:smarty:*:*:*:*:*:*:*:*
cpe:2.3:a:smarty:smarty:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

History

28 Oct 2022, 13:40

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/ - Mailing List, Third Party Advisory
References (GENTOO) https://security.gentoo.org/glsa/202209-09 - (GENTOO) https://security.gentoo.org/glsa/202209-09 - Third Party Advisory

24 Oct 2022, 14:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/ -
  • (GENTOO) https://security.gentoo.org/glsa/202209-09 -

06 Jun 2022, 18:24

Type Values Removed Values Added
CPE cpe:2.3:a:smarty:smarty:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html - Mailing List, Third Party Advisory
References (CONFIRM) https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c - (CONFIRM) https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c - Third Party Advisory
References (MISC) https://github.com/smarty-php/smarty/releases/tag/v4.1.1 - (MISC) https://github.com/smarty-php/smarty/releases/tag/v4.1.1 - Release Notes, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2022/dsa-5151 - (DEBIAN) https://www.debian.org/security/2022/dsa-5151 - Third Party Advisory
References (MISC) https://github.com/smarty-php/smarty/releases/tag/v3.1.45 - (MISC) https://github.com/smarty-php/smarty/releases/tag/v3.1.45 - Release Notes, Third Party Advisory
References (MISC) https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd - (MISC) https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd - Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 6.5
v3 : 8.8

02 Jun 2022, 14:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html -
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5151 -

24 May 2022, 15:23

Type Values Removed Values Added
New CVE

Information

Published : 2022-05-24 15:15

Updated : 2024-02-04 22:29


NVD link : CVE-2022-29221

Mitre link : CVE-2022-29221

CVE.ORG link : CVE-2022-29221


JSON object : View

Products Affected

debian

  • debian_linux

smarty

  • smarty

fedoraproject

  • fedora
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')