CVE-2018-13982

Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the executed template code to bypass the trusted directory security restriction and read arbitrary files.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8	Patch Vendor Advisory
https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1	Patch Vendor Advisory
https://github.com/smarty-php/smarty/commit/bcedfd6b58bed4a7366336979ebaa5a240581531	Patch Vendor Advisory
https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe	Patch Vendor Advisory
https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50	Patch Vendor Advisory
https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180420-01_Smarty_Path_Traversal	Exploit Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00015.html	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:smarty:smarty:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Information

Published : 2018-09-18 14:29

Updated : 2021-11-02 07:01

NVD link : CVE-2018-13982

Mitre link : CVE-2018-13982

JSON object : View

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Products Affected

debian

debian_linux

smarty

smarty

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8", "name": "https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1", "name": "https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/smarty-php/smarty/commit/bcedfd6b58bed4a7366336979ebaa5a240581531", "name": "https://github.com/smarty-php/smarty/commit/bcedfd6b58bed4a7366336979ebaa5a240581531", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe", "name": "https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50", "name": "https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180420-01_Smarty_Path_Traversal", "name": "https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180420-01_Smarty_Path_Traversal", "tags": ["Exploit", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00004.html", "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2618-1] smarty3 security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html", "name": "[debian-lts-announce] 20210416 [SECURITY] [DLA 2618-2] smarty3 regression update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00015.html", "name": "[debian-lts-announce] 20211020 [SECURITY] [DLA 2618-3] smarty3 regression update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the executed template code to bypass the trusted directory security restriction and read arbitrary files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-22"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2018-13982", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2018-09-18T21:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:smarty:smarty:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.1.33"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-11-02T14:01Z"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2018-13982

7.5^/10

5.0^/10

Attach tags to `CVE-2018-13982`