CVE-2021-26119
published 2021-02-22CVE-2021-26119: Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
9.44%
94.8th percentile
Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | smarty3 | < smarty3 3.1.39-1 (bookworm) | smarty3 3.1.39-1 (bookworm) |
| smarty | smarty | < 3.1.39 | 3.1.39 |
| smarty | smarty | >= 0 < 3.1.39 | 3.1.39 |
Detection & IOCsextracted from sources · hover to see the quote
- →Sandbox escape vector: access to `$smarty.template_object` variable within Smarty sandbox mode should be monitored or blocked as it enables sandbox escape ↗
- ·Vulnerability is scoped as local exploitation; Smarty versions before 3.1.39 are affected — upgrade to 3.1.39 or later to remediate ↗
- ·Debian packages resolved the issue at version 3.1.39-1 across bookworm, bullseye, forky, sid, and trixie ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Smarty vulnerabilities
vendor_ubuntu·2022-06-21·CVSS 7.5
CVE-2021-26120 [HIGH] Smarty vulnerabilities
Title: Smarty vulnerabilities
Summary: Several security issues were fixed in Smarty.
USN-5348-1 fixed several vulnerabilities in Smarty. This update provides
the fixes for CVE-2021-21408, CVE-2021-26119, CVE-2021-26120 and
CVE-2021-29454 for Ubuntu 20.04 ESM.
Original advisory details:
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating
Ubuntu
Smarty vulnerabilities
vendor_ubuntu·2022-03-28·CVSS 7.5
CVE-2021-21408 [HIGH] Smarty vulnerabilities
Title: Smarty vulnerabilities
Summary: Several security issues were fixed in Smarty.
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classes even when not permitted by
the security settings. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-21408)
It
Ubuntu
Smarty vulnerabilities
vendor_ubuntu·2022-03-28·CVSS 7.5
CVE-2021-26120 [HIGH] Smarty vulnerabilities
Title: Smarty vulnerabilities
Summary: Several security issues were fixed in Smarty.
USN-5348-1 fixed several vulnerabilities in Smarty. This update provides
the fixes for CVE-2021-21408, CVE-2021-26119, CVE-2021-26120 and
CVE-2021-29454 for Ubuntu 16.04 ESM.
Original advisory details:
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating
Debian
CVE-2021-26119: smarty3 - Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can...
vendor_debian·2021·CVSS 7.5
CVE-2021-26119 [HIGH] CVE-2021-26119: smarty3 - Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can...
Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.
Scope: local
bookworm: resolved (fixed in 3.1.39-1)
bullseye: resolved (fixed in 3.1.39-1)
forky: resolved (fixed in 3.1.39-1)
sid: resolved (fixed in 3.1.39-1)
trixie: resolved (fixed in 3.1.39-1)
OSV
smarty3 vulnerabilities
osv·2022-06-21·CVSS 7.5
CVE-2021-21408 [HIGH] smarty3 vulnerabilities
smarty3 vulnerabilities
USN-5348-1 fixed several vulnerabilities in Smarty. This update provides
the fixes for CVE-2021-21408, CVE-2021-26119, CVE-2021-26120 and
CVE-2021-29454 for Ubuntu 20.04 ESM.
Original advisory details:
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classe
OSV
smarty3 vulnerabilities
osv·2022-03-28·CVSS 7.5
CVE-2018-13982 [HIGH] smarty3 vulnerabilities
smarty3 vulnerabilities
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classes even when not permitted by
the security settings. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-21408)
It was discovered that Smarty was incorrectly managing access con
OSV
smarty3 vulnerabilities
osv·2022-03-28·CVSS 7.5
CVE-2021-21408 [HIGH] smarty3 vulnerabilities
smarty3 vulnerabilities
USN-5348-1 fixed several vulnerabilities in Smarty. This update provides
the fixes for CVE-2021-21408, CVE-2021-26119, CVE-2021-26120 and
CVE-2021-29454 for Ubuntu 16.04 ESM.
Original advisory details:
David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)
It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)
It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classe
GHSA
Sandbox escape through template_object in smarty
ghsa·2021-03-02
CVE-2021-26119 [HIGH] Sandbox escape through template_object in smarty
Sandbox escape through template_object in smarty
Sandbox protection could be bypassed through access to an internal Smarty object that should have been blocked. Sites that rely on [Smarty Security features](https://www.smarty.net/docs/en/advanced.features.tpl) should upgrade as soon as possible. Please upgrade to 3.1.39 or higher.
OSV
Sandbox escape through template_object in smarty
osv·2021-03-02
CVE-2021-26119 [HIGH] Sandbox escape through template_object in smarty
Sandbox escape through template_object in smarty
Sandbox protection could be bypassed through access to an internal Smarty object that should have been blocked. Sites that rely on [Smarty Security features](https://www.smarty.net/docs/en/advanced.features.tpl) should upgrade as soon as possible. Please upgrade to 3.1.39 or higher.
OSV
CVE-2021-26119: Smarty before 3
osv·2021-02-22·CVSS 7.5
CVE-2021-26119 [HIGH] CVE-2021-26119: Smarty before 3
Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/smarty-php/smarty/blob/master/CHANGELOG.mdhttps://lists.debian.org/debian-lts-announce/2021/04/msg00004.htmlhttps://lists.debian.org/debian-lts-announce/2021/04/msg00014.htmlhttps://security.gentoo.org/glsa/202105-06https://www.debian.org/security/2022/dsa-5151https://github.com/smarty-php/smarty/blob/master/CHANGELOG.mdhttps://lists.debian.org/debian-lts-announce/2021/04/msg00004.htmlhttps://lists.debian.org/debian-lts-announce/2021/04/msg00014.htmlhttps://security.gentoo.org/glsa/202105-06https://www.debian.org/security/2022/dsa-5151
2021-02-22
Published