CVE-2022-29221: 
PHP vulnerability analysis and mitigation

Smarty, a PHP template engine for separating presentation (HTML/CSS) from application logic, disclosed a security vulnerability (CVE-2022-29221) on May 24, 2022. Prior to versions 3.1.45 and 4.1.1, template authors could inject PHP code by choosing a malicious {block} name or {include} file name, potentially leading to code execution (GitHub Advisory).

The vulnerability is classified as a code injection issue (CWE-94) with a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability exists in the template processing mechanism where insufficient validation of block names and include file names could allow for PHP code injection (NVD).

The vulnerability allows template authors to inject and execute arbitrary PHP code through malicious block names or include file names, potentially leading to remote code execution in sites where template authors cannot be fully trusted (GitHub Advisory, Debian Advisory).

The vulnerability was patched in Smarty versions 3.1.45 and 4.1.1. Users are strongly advised to upgrade to these or later versions. There are no known workarounds for this vulnerability (GitHub Advisory, Debian Advisory).

Multiple Linux distributions including Debian, Fedora, and Gentoo released security advisories and patches for this vulnerability. Debian classified it as a serious security issue and provided fixes in their security updates (Debian Advisory, Gentoo Advisory).