CVE-2021-21408

Description

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.

How to fix CVE-2021-21408

To remediate CVE-2021-21408, upgrade the affected package to a fixed version below.

• —upgrade to 3.1.39-2+deb11u1 or later
• —upgrade to 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u5 or later
• —upgrade to 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1 or later
• —upgrade to 4.1.1-1 or later
• —upgrade to 3.1.43 or later

Is CVE-2021-21408 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 3.1.39-2+deb11u1
• from 0, < 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u5
• from 0, < 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1
• from 0, < 4.1.1-1
• from 0, < 3.1.43

CVSS scores

References (13)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21408
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-21408
• PATCHgithub.com/smarty-php/smarty
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/smarty/smarty/CVE-2021-21408.yaml