阿里云漏洞库

Smarty是Smarty 是 PHP 的模板引擎，有助于将表示 (HTML/CSS) 与应用程序逻辑分离。

Smarty存在安全漏洞，该漏洞源于Smarty是PHP的一个模板引擎，它促进了表示(HTML CSS)与应用逻辑的分离。在3.1.43和4.0.3版本之前，模板作者可以运行受限的静态php方法。

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：

https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m

参考链接
https://github.com/smarty-php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664
https://github.com/smarty-php/smarty/releases/tag/v3.1.43
https://github.com/smarty-php/smarty/releases/tag/v4.0.3
https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m
https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.gentoo.org/glsa/202209-09
https://www.debian.org/security/2022/dsa-5151

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	smarty	smarty	*		Up to (excluding) 3.1.43
	运行在以下环境
	应用	smarty	smarty	*	From (including) 4.0.0	Up to (excluding) 4.0.3
	运行在以下环境
	系统	debian_10	smarty3	*		Up to (excluding) 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1
	运行在以下环境
	系统	debian_11	smarty3	*		Up to (excluding) 3.1.39-2+deb11u1
	运行在以下环境
	系统	debian_12	smarty3	*		Up to (excluding) 3.1.45-1
	运行在以下环境
	系统	debian_9	smarty3	*		Up to (excluding) 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u5
	运行在以下环境
	系统	fedora_36	php-Smarty	*		Up to (excluding) 3.1.47-1.fc36
	运行在以下环境
	系统	fedora_37	php-Smarty	*		Up to (excluding) 3.1.47-1.fc37
	运行在以下环境
	系统	fedora_EPEL_7	php-Smarty	*		Up to (excluding) 3.1.47-1.el7
	运行在以下环境
	系统	ubuntu_18.04	smarty3	*		Up to (excluding) 3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1
	运行在以下环境
	系统	ubuntu_21.10	smarty3	*		Up to (excluding) 3.1.39-2ubuntu0.21.10.1
	运行在以下环境
	系统	ubuntu_22.04	smarty3	*		Up to (excluding) 3.1.39-2ubuntu1
	运行在以下环境
	系统	ubuntu_22.10	smarty3	*		Up to (excluding) 3.1.39-2ubuntu1

CWE-ID	漏洞类型
CWE-20	输入验证不恰当