Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS00aDljLXY1dmctNW02bc0hUA

High EPSS: 0.00361% (0.57612 Percentile) EPSS:
Permalink JSON

Access to restricted PHP code by dynamic static class access in smarty

Affected Packages Affected Versions Fixed Versions
packagist:smarty/smarty >= 4.0.0, < 4.0.3, < 3.1.43 4.0.3, 3.1.43
465 Dependent packages
2,359 Dependent repositories
34,452,178 Downloads total

Affected Version Ranges

All affected versions

2.6.24, 2.6.25, 2.6.26, 2.6.27, 2.6.28, 2.6.29, 2.6.30, 2.6.31, 2.6.33, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.1.36, 3.1.37, 3.1.38, 3.1.39, 3.1.40, 3.1.41, 3.1.42, 4.0.0, 4.0.1, 4.0.2

All unaffected versions

3.1.43, 3.1.44, 3.1.45, 3.1.46, 3.1.47, 3.1.48, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.5.0, 5.5.1, 5.5.2

Impact

Template authors could run restricted static php methods.

Patches

Please upgrade to 3.1.40 or higher.

References

See the documentation on Smarty security features on the static_classes access filter.

For more information

If you have any questions or comments about this advisory please open an issue in the Smarty repo

References:

Identifiers

GHSA-4h9c-v5vg-5m6m

CVE-2021-21408

Risk

Severity

High

EPSS

EPSS Percentage: 0.00361

EPSS Percentile: 0.57612

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/smarty-php/smarty

Date and time

Published

over 3 years ago

Updated

over 1 year ago

API

JSON