#VU61666 Path traversal in Smarty - CVE-2018-13982


Vulnerability identifier: #VU61666

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-13982

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Smarty
Web applications / CMS

Vendor: smarty.php.net

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in Smarty_Security::isTrustedResourceDir(). A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Smarty: 3.1 - 3.1.32

External links
https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
https://github.com/smarty-php/smarty/commit/bcedfd6b58bed4a7366336979ebaa5a240581531
https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe
https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50
https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180420-01_Smarty_Path_Traversal
https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html
https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html
https://lists.debian.org/debian-lts-announce/2021/10/msg00015.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for smarty3
Fedora EPEL 7 update for php-Smarty
Fedora 28 update for php-Smarty
Fedora 29 update for php-Smarty