usn-5348-1
Vulnerability from osv_ubuntu
Published
2022-03-28 10:09
Modified
2026-02-10 04:42
Summary
smarty3 vulnerabilities
Details

David Gnedt and Thomas Konrad discovered that Smarty was incorrectly sanitizing the paths present in the templates. An attacker could possibly use this use to read arbitrary files when controlling the executed template. (CVE-2018-13982)

It was discovered that Smarty was incorrectly sanitizing the paths present in the templates. An attacker could possibly use this use to read arbitrary files when controlling the executed template. (CVE-2018-16831)

It was discovered that Smarty was incorrectly validating security policy data, allowing the execution of static classes even when not permitted by the security settings. An attacker could possibly use this issue to execute arbitrary code. (CVE-2021-21408)

It was discovered that Smarty was incorrectly managing access control to template objects, which allowed users to perform a sandbox escape. An attacker could possibly use this issue to send specially crafted input to applications that use Smarty and execute arbitrary code. (CVE-2021-26119)

It was discovered that Smarty was not checking for special characters when setting function names during plugin compile operations. An attacker could possibly use this issue to send specially crafted input to applications that use Smarty and execute arbitrary code. (CVE-2021-26120)

It was discovered that Smarty was incorrectly sanitizing characters in math strings processed by the math function. An attacker could possibly use this issue to send specially crafted input to applications that use Smarty and execute arbitrary code. (CVE-2021-29454)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2018-13982",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2018-16831",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2021-21408",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2021-26119",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2021-26120",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2021-29454",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "high",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:18.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "smarty3",
            "binary_version": "3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:18.04:LTS",
        "name": "smarty3",
        "purl": "pkg:deb/ubuntu/smarty3@3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1?arch=source\u0026distro=bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.1.31+20161214.1.c7d42e4+selfpack1-2",
        "3.1.31+20161214.1.c7d42e4+selfpack1-3"
      ]
    }
  ],
  "aliases": [],
  "details": "David Gnedt and Thomas Konrad discovered that Smarty was incorrectly\nsanitizing the paths present in the templates. An attacker could possibly\nuse this use to read arbitrary files when controlling the executed\ntemplate. (CVE-2018-13982)\n\nIt was discovered that Smarty was incorrectly sanitizing the paths\npresent in the templates. An attacker could possibly use this use to read\narbitrary files when controlling the executed template. (CVE-2018-16831)\n\nIt was discovered that Smarty was incorrectly validating security policy\ndata, allowing the execution of static classes even when not permitted by\nthe security settings. An attacker could possibly use this issue to\nexecute arbitrary code. (CVE-2021-21408)\n\nIt was discovered that Smarty was incorrectly managing access control to\ntemplate objects, which allowed users to perform a sandbox escape. An\nattacker could possibly use this issue to send specially crafted input to\napplications that use Smarty and execute arbitrary code. (CVE-2021-26119)\n\nIt was discovered that Smarty was not checking for special characters\nwhen setting function names during plugin compile operations. An attacker\ncould possibly use this issue to send specially crafted input to\napplications that use Smarty and execute arbitrary code. (CVE-2021-26120)\n\nIt was discovered that Smarty was incorrectly sanitizing characters in\nmath strings processed by the math function. An attacker could possibly\nuse this issue to send specially crafted input to applications that use\nSmarty and execute arbitrary code. (CVE-2021-29454)\n",
  "id": "USN-5348-1",
  "modified": "2026-02-10T04:42:32Z",
  "published": "2022-03-28T10:09:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-5348-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2018-13982"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2018-16831"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2021-21408"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2021-26119"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2021-26120"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2021-29454"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "smarty3 vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2018-13982",
    "UBUNTU-CVE-2018-16831",
    "UBUNTU-CVE-2021-21408",
    "UBUNTU-CVE-2021-26119",
    "UBUNTU-CVE-2021-26120",
    "UBUNTU-CVE-2021-29454"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…