GoogleOSV:GHSA-29GP-2C3M-3J6MSandbox Escape by math function in smarty
EPSS
Percentile
69.7%
Impact
Template authors could run arbitrary PHP code by crafting a malicious math string.
If a math string is passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string.
Patches
Please upgrade to 4.0.2 or 3.1.42 or higher.
References
See documentation on Math function.
For more information
If you have any questions or comments about this advisory please open an issue in the Smarty repo
References
github.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-29454.yaml
github.com/smarty-php/smarty
github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71
github.com/smarty-php/smarty/releases/tag/v3.1.42
github.com/smarty-php/smarty/releases/tag/v4.0.2
github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m
lists.debian.org/debian-lts-announce/2022/05/msg00005.html
lists.fedoraproject.org/archives/list/[email protected]/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ
lists.fedoraproject.org/archives/list/[email protected]/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI
nvd.nist.gov/vuln/detail/CVE-2021-29454
packagist.org/packages/smarty/smarty
security.gentoo.org/glsa/202209-09
www.debian.org/security/2022/dsa-5151
www.smarty.net/docs/en/language.function.math.tpl
Related
