Lucene search

GitHub Advisory DatabaseGHSA-29GP-2C3M-3J6M

HistoryJan 12, 2022 - 10:43 p.m.

Sandbox Escape by math function in smarty

2022-01-1222:43:00

CWE-74

GitHub Advisory Database

github.com

sandbox escape

math function

smarty

vulnerability

upgrade

php code

patches

documentation

external users

security advisory

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.7%

JSON

Impact

Template authors could run arbitrary PHP code by crafting a malicious math string.
If a math string is passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string.

Patches

Please upgrade to 4.0.2 or 3.1.42 or higher.

References

See documentation on Math function.

For more information

If you have any questions or comments about this advisory please open an issue in the Smarty repo

Affected configurations

Vulners

Node

smartysmartyRange4.0.0–4.0.2

smartysmartyRange<3.1.42

VendorProductVersionCPE
smartysmarty*cpe:2.3:a:smarty:smarty:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
smarty	smarty	*	cpe:2.3:a:smarty:smarty::::::::

References

github.com/advisories/GHSA-29gp-2c3m-3j6m

github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-29454.yaml

github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71

github.com/smarty-php/smarty/releases/tag/v3.1.42

github.com/smarty-php/smarty/releases/tag/v4.0.2

github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m

lists.debian.org/debian-lts-announce/2022/05/msg00005.html

lists.fedoraproject.org/archives/list/[email protected]/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/

lists.fedoraproject.org/archives/list/[email protected]/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/

nvd.nist.gov/vuln/detail/CVE-2021-29454

packagist.org/packages/smarty/smarty

security.gentoo.org/glsa/202209-09

www.debian.org/security/2022/dsa-5151

www.smarty.net/docs/en/language.function.math.tpl

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.7%

JSON

Related for GHSA-29GP-2C3M-3J6M