CVE-2009-5054 — Improper Preservation of Permissions in Smarty

CWE-264 CWE-281 — Improper Preservation of Permissions6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 71.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Smarty Debian Smarty3

Timeline

PublishedFeb 3

Latest updateMay 2

Description

Smarty before 3.0.0 beta 4 does not consider the umask value when setting the permissions of files, which might allow attackers to bypass intended access restrictions via standard filesystem operations.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶Packagistsmarty/smarty< 3.0.0-beta4

▶debiandebian/smarty3< smarty3 3.0~rc1-1 (bookworm)

▶NVDsmarty/smarty2.6.26+53

🔴Vulnerability Details

OSV

Smarty Does Not Consider Umask Values When Setting Permissions↗2022-05-02

▶

GHSA

Smarty Does Not Consider Umask Values When Setting Permissions↗2022-05-02

▶

OSV

CVE-2009-5054: Smarty before 3↗2011-02-03

▶

📋Vendor Advisories

Debian

CVE-2009-5054: smarty3 - Smarty before 3.0.0 beta 4 does not consider the umask value when setting the pe...↗2009

▶

💬Community

Bugzilla

CVE-2009-5054 php-Smarty: Does not consider the umask value when setting the permissions of files↗2011-10-25

▶