#VU61664 Code Injection in Smarty - CVE-2021-29454

Cybersecurity Help s.r.o.

Published: 2022-03-28

Vulnerability identifier: #VU61664

Vulnerability risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-29454

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Smarty
Web applications / CMS

Vendor: smarty.php.net

Description

The vulnerability allows a remote user to execute arbitrary PHP code on the target system.

The vulnerability exists due to improper input validation. A remote user can inject a malicious math string into he PHP template and execute arbitrary PHP code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Smarty: 3.1 - 3.1.41, 4.0.0 - 4.0.1

External links
https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71
https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m
https://packagist.org/packages/smarty/smarty
https://github.com/smarty-php/smarty/releases/tag/v3.1.42
https://www.smarty.net/docs/en/language.function.math.tpl
https://github.com/smarty-php/smarty/releases/tag/v4.0.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 37 update for php-Smarty

Fedora 36 update for php-Smarty

Fedora EPEL 7 update for php-Smarty

Gentoo update for Smarty

Debian update for smarty3

Ubuntu update for smarty3

Server-side template injection in Smarty