CVE-2021-26119 — Smarty vulnerability

11 documents5 sources

Severity

7.5HIGHNVD

EPSS

62.6%

top 1.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Smarty Debian Smarty3 Debian Linux

Timeline

PublishedFeb 22

Latest updateJun 21

Description

Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDsmarty/smarty< 3.1.39

▶Packagistsmarty/smarty< 3.1.39

▶debiandebian/smarty3< smarty3 3.1.39-1 (bookworm)

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: security.gentoo.org ↗Patch: security.gentoo.org ↗

🔴Vulnerability Details

OSV

smarty3 vulnerabilities↗2022-06-21

▶

OSV

smarty3 vulnerabilities↗2022-03-28

▶

OSV

smarty3 vulnerabilities↗2022-03-28

▶

GHSA

Sandbox escape through template_object in smarty↗2021-03-02

▶

OSV

Sandbox escape through template_object in smarty↗2021-03-02

▶

📋Vendor Advisories

Ubuntu

Smarty vulnerabilities↗2022-06-21

▶

Ubuntu

Smarty vulnerabilities↗2022-03-28

▶

Ubuntu

Smarty vulnerabilities↗2022-03-28

▶

Debian

CVE-2021-26119: smarty3 - Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can...↗2021

▶