PublicDateAtUSN: 2021-02-22 02:15:00 UTC
Candidate: CVE-2021-26120
PublicDate: 2021-02-22 02:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26120
 https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md
 https://ubuntu.com/security/notices/USN-5348-1
Description:
 Smarty before 3.1.39 allows code injection via an unexpected function name
 after a {function name= substring.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_smarty3:
 upstream: https://github.com/smarty-php/smarty/commit/4f634c0097ab4a8b2adc2a97caacd1676e88f9c8
upstream_smarty3: released (3.1.39)
precise/esm_smarty3: DNE
trusty_smarty3: ignored (out of standard support)
trusty/esm_smarty3: DNE
xenial_smarty3: ignored (end of standard support, was needed)
bionic_smarty3: released (3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1)
focal_smarty3: needed
groovy_smarty3: ignored (reached end-of-life)
hirsute_smarty3: ignored (reached end-of-life)
impish_smarty3: not-affected (3.1.39-2)
jammy_smarty3: not-affected (3.1.39-2)
devel_smarty3: not-affected (3.1.39-2)