CVE-2021-29454 Sandbox Escape by math function in smarty

2022-01-1000:00:00

CWE-74

GitHub_M

www.cve.org

cve-2021-29454

sandbox escape

smarty

math function

php

patch

upgrade

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

AI Score

9.5

Confidence

High

EPSS

0.003

Percentile

69.7%

JSON

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.

CNA Affected

[
  {
    "vendor": "smarty-php",
    "product": "smarty",
    "versions": [
      {
        "version": "< 3.1.42",
        "status": "affected"
      },
      {
        "version": ">= 4.0.0, < 4.0.2",
        "status": "affected"
      }
    ]
  }
]