CVE-2022-29221

Description

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.

How to fix CVE-2022-29221

To remediate CVE-2022-29221, upgrade the affected package to a fixed version below.

• —upgrade to 3.1.39-2+deb11u1 or later
• —upgrade to 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u6 or later
• —upgrade to 4.1.1-1 or later
• —upgrade to 3.1.45 or later

Is CVE-2022-29221 being exploited?

Moderate — EPSS is 25.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (4)

• from 0, < 3.1.39-2+deb11u1
• from 0, < 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u6
• from 0, < 4.1.1-1
• from 0, < 3.1.45

CVSS scores

References (13)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-29221
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-29221
• PATCHgithub.com/smarty-php/smarty
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2022-29221.yaml