CVE-2024-35226

NameCVE-2024-35226
DescriptionSmarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3956-1, ELA-1237-1
Debian Bugs1072529, 1072530

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
smarty3 (PTS)jessie, jessie (lts)3.1.21-1+deb8u2vulnerable
stretch (security), stretch (lts), stretch3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u6vulnerable
buster, buster (lts)3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u3fixed
buster (security)3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u2vulnerable
bullseye3.1.39-2+deb11u1vulnerable
bullseye (security)3.1.39-2+deb11u2fixed
bookworm3.1.47-2vulnerable
sid3.1.48-2fixed
smarty4 (PTS)bookworm4.3.0-1+deb12u1vulnerable
sid, trixie4.5.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
smarty3sourcejessie(unfixed)end-of-life
smarty3sourcestretch(unfixed)end-of-life
smarty3sourcebuster3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u3ELA-1237-1
smarty3sourcebullseye3.1.39-2+deb11u2DLA-3956-1
smarty3source(unstable)3.1.48-21072530
smarty4source(unstable)4.5.4-11072529

Notes

https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (v4.5.3)
https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0)

Search for package or bug name: Reporting problems