CVE-2021-29454

10.01.2022, 20:15

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
GitHub_M	CNA	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 64%

Vendor	Product	Version
smarty	smarty	𝑥 < 3.1.42
smarty	smarty	4.0.0 ≤ 𝑥 < 4.0.2
debian	debian_linux	9.0
debian	debian_linux	10.0
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

smarty3

bullseye (security)	3.1.39-2+deb11u1 fixed
bullseye	3.1.39-2+deb11u1 fixed
bookworm	3.1.47-2 fixed
sid	3.1.48-1 fixed

smarty4

bookworm	4.3.0-1+deb12u1 fixed
sid	4.5.4-1 fixed
trixie	4.5.4-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

smarty3

noble	Fixed 3.1.39-2ubuntu1 released
mantic	Fixed 3.1.39-2ubuntu1 released
lunar	Fixed 3.1.39-2ubuntu1 released
kinetic	Fixed 3.1.39-2ubuntu1 released
jammy	Fixed 3.1.39-2ubuntu1 released
impish	Fixed 3.1.39-2ubuntu0.21.10.1 released
hirsute	ignored
focal	Fixed 3.1.34+20190228.1.c9f0de05+selfpack1-1ubuntu0.1~esm1 released
bionic	Fixed 3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1 released
xenial	Fixed 3.1.21-1ubuntu1+esm1 released
trusty	dne

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71

https://github.com/smarty-php/smarty/releases/tag/v3.1.42

https://github.com/smarty-php/smarty/releases/tag/v4.0.2

https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m

https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/

https://packagist.org/packages/smarty/smarty

https://security.gentoo.org/glsa/202209-09

https://www.debian.org/security/2022/dsa-5151

https://www.smarty.net/docs/en/language.function.math.tpl

https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71

https://github.com/smarty-php/smarty/releases/tag/v3.1.42

https://github.com/smarty-php/smarty/releases/tag/v4.0.2

https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m

https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L777JIBIWJV34HS7LXPIDWASG7TT4LNI/

https://packagist.org/packages/smarty/smarty

https://security.gentoo.org/glsa/202209-09

https://www.debian.org/security/2022/dsa-5151

https://www.smarty.net/docs/en/language.function.math.tpl