Login Sign Up

CVE-2021-21408

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-21408 is a vulnerability in Smarty PHP template engine that allows template authors to execute restricted static PHP methods, potentially leading to remote code execution. This affects all Smarty users running versions before 3.1.43 or 4.0.3. The vulnerability enables attackers to bypass intended security restrictions in template processing.

💻 Affected Systems

Products:
  • Smarty PHP Template Engine
Versions: All versions before 3.1.43 and all versions before 4.0.3
Operating Systems: All operating systems running PHP with Smarty
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default Smarty configurations when template authors have access to modify templates.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Smarty by Smarty

View all CVEs affecting Smarty →

Smarty by Smarty

View all CVEs affecting Smarty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Template authors or attackers with template access can execute arbitrary PHP code, potentially gaining application-level access and data exposure.

🟢

If Mitigated

With proper access controls and template author restrictions, impact is limited to authorized template functionality only.

🌐 Internet-Facing: HIGH - Web applications using Smarty templates are directly exposed to potential exploitation if templates can be modified.
🏢 Internal Only: MEDIUM - Internal applications still vulnerable but with reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires template author access or ability to inject/modify templates. Public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.43 or 4.0.3

Vendor Advisory: https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m

Restart Required: No

Instructions:

1. Backup current Smarty installation. 2. Update via composer: 'composer require smarty/smarty:^3.1.43' or 'composer require smarty/smarty:^4.0.3'. 3. Verify update with 'composer show smarty/smarty'. 4. Test application functionality.

🔧 Temporary Workarounds

Restrict Template Author Permissions

all

Limit who can create or modify Smarty templates to trusted administrators only.

Disable PHP Function Execution

all

Configure Smarty to disable PHP function execution in templates via security settings.

$smarty->security = true;
$smarty->security_settings['IF_FUNCS'][] = 'none';

🧯 If You Can't Patch

  • Implement strict access controls for template modification and review all existing templates for malicious code.
  • Deploy web application firewall rules to detect and block attempts to exploit template execution vulnerabilities.

🔍 How to Verify

Check if Vulnerable:

Check Smarty version in composer.json or via 'composer show smarty/smarty'. If version is below 3.1.43 (for v3) or below 4.0.3 (for v4), system is vulnerable.

Check Version:

composer show smarty/smarty | grep versions

Verify Fix Applied:

After update, verify version is 3.1.43 or higher (for v3) or 4.0.3 or higher (for v4) using 'composer show smarty/smarty'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual template modification activity
  • PHP execution errors in template files
  • Unexpected system command execution from web process

Network Indicators:

  • HTTP requests with unusual template parameters
  • POST requests modifying template content

SIEM Query:

source="web_logs" AND (uri="*.tpl" OR uri="*.php") AND (method="PUT" OR method="POST") AND size>10000

📊 Metadata

CVE ID: CVE-2021-21408
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: January 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21408, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)