CVE-2009-5054 | Vulnerability Database | Aqua Security

Smarty before 3.0.0 beta 4 does not consider the umask value when setting the permissions of files, which might allow attackers to bypass intended access restrictions via standard filesystem operations.

Affected Software

Name	Vendor	Start Version	End Version
Smarty	Smarty	*	2.6.26 (including)
Smarty	Smarty	1.0 (including)	1.0 (including)
Smarty	Smarty	1.0a (including)	1.0a (including)
Smarty	Smarty	1.0b (including)	1.0b (including)
Smarty	Smarty	1.1.0 (including)	1.1.0 (including)
Smarty	Smarty	1.2.0 (including)	1.2.0 (including)
Smarty	Smarty	1.2.1 (including)	1.2.1 (including)
Smarty	Smarty	1.2.2 (including)	1.2.2 (including)
Smarty	Smarty	1.3.0 (including)	1.3.0 (including)
Smarty	Smarty	1.3.1 (including)	1.3.1 (including)
Smarty	Smarty	1.3.2 (including)	1.3.2 (including)
Smarty	Smarty	1.4.0 (including)	1.4.0 (including)
Smarty	Smarty	1.4.0-b1 (including)	1.4.0-b1 (including)
Smarty	Smarty	1.4.0-b2 (including)	1.4.0-b2 (including)
Smarty	Smarty	1.4.1 (including)	1.4.1 (including)
Smarty	Smarty	1.4.2 (including)	1.4.2 (including)
Smarty	Smarty	1.4.3 (including)	1.4.3 (including)
Smarty	Smarty	1.4.4 (including)	1.4.4 (including)
Smarty	Smarty	1.4.5 (including)	1.4.5 (including)
Smarty	Smarty	1.4.6 (including)	1.4.6 (including)
Smarty	Smarty	1.5.0 (including)	1.5.0 (including)
Smarty	Smarty	1.5.1 (including)	1.5.1 (including)
Smarty	Smarty	1.5.2 (including)	1.5.2 (including)
Smarty	Smarty	2.0.0 (including)	2.0.0 (including)
Smarty	Smarty	2.0.1 (including)	2.0.1 (including)
Smarty	Smarty	2.1.0 (including)	2.1.0 (including)
Smarty	Smarty	2.1.1 (including)	2.1.1 (including)
Smarty	Smarty	2.2.0 (including)	2.2.0 (including)
Smarty	Smarty	2.3.0 (including)	2.3.0 (including)
Smarty	Smarty	2.3.1 (including)	2.3.1 (including)
Smarty	Smarty	2.4.0 (including)	2.4.0 (including)
Smarty	Smarty	2.4.1 (including)	2.4.1 (including)
Smarty	Smarty	2.4.2 (including)	2.4.2 (including)
Smarty	Smarty	2.5.0 (including)	2.5.0 (including)
Smarty	Smarty	2.5.0-rc1 (including)	2.5.0-rc1 (including)
Smarty	Smarty	2.5.0-rc2 (including)	2.5.0-rc2 (including)
Smarty	Smarty	2.6.0 (including)	2.6.0 (including)
Smarty	Smarty	2.6.0-rc1 (including)	2.6.0-rc1 (including)
Smarty	Smarty	2.6.0-rc2 (including)	2.6.0-rc2 (including)
Smarty	Smarty	2.6.0-rc3 (including)	2.6.0-rc3 (including)
Smarty	Smarty	2.6.1 (including)	2.6.1 (including)
Smarty	Smarty	2.6.2 (including)	2.6.2 (including)
Smarty	Smarty	2.6.3 (including)	2.6.3 (including)
Smarty	Smarty	2.6.4 (including)	2.6.4 (including)
Smarty	Smarty	2.6.5 (including)	2.6.5 (including)
Smarty	Smarty	2.6.6 (including)	2.6.6 (including)
Smarty	Smarty	2.6.7 (including)	2.6.7 (including)
Smarty	Smarty	2.6.9 (including)	2.6.9 (including)
Smarty	Smarty	2.6.10 (including)	2.6.10 (including)
Smarty	Smarty	2.6.11 (including)	2.6.11 (including)
Smarty	Smarty	2.6.12 (including)	2.6.12 (including)
Smarty	Smarty	2.6.13 (including)	2.6.13 (including)
Smarty	Smarty	2.6.14 (including)	2.6.14 (including)
Smarty	Smarty	2.6.15 (including)	2.6.15 (including)
Smarty	Smarty	2.6.16 (including)	2.6.16 (including)
Smarty	Smarty	2.6.17 (including)	2.6.17 (including)
Smarty	Smarty	2.6.18 (including)	2.6.18 (including)
Smarty	Smarty	2.6.20 (including)	2.6.20 (including)
Smarty	Smarty	2.6.22 (including)	2.6.22 (including)
Smarty	Smarty	2.6.24 (including)	2.6.24 (including)
Smarty	Smarty	2.6.25 (including)	2.6.25 (including)
Gallery2	Ubuntu	dapper	*
Gallery2	Ubuntu	hardy	*
Moodle	Ubuntu	dapper	*
Moodle	Ubuntu	hardy	*
Smarty	Ubuntu	dapper	*
Smarty	Ubuntu	hardy	*
Smarty	Ubuntu	karmic	*
Smarty	Ubuntu	lucid	*
Smarty	Ubuntu	maverick	*
Smarty	Ubuntu	natty	*
Smarty	Ubuntu	oneiric	*
Smarty	Ubuntu	precise	*
Smarty	Ubuntu	quantal	*
Smarty	Ubuntu	upstream	*

References

http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-5054
CWE	https://cwe.mitre.org/data/definitions/264.html