CVE-2021-21408: 
PHP vulnerability analysis and mitigation

Smarty, a PHP template engine for separating presentation from application logic, was found to have a security vulnerability identified as CVE-2021-21408. The vulnerability was discovered in versions prior to 3.1.43 and 4.0.3, where template authors could run restricted static PHP methods. This vulnerability was disclosed in January 2022 and affected multiple versions of the Smarty template engine (GitHub Advisory, CVE Mitre).

The vulnerability allowed template authors to bypass the static_classes security policy through dynamic static class access. This security policy was designed to restrict access to static PHP methods, but the implementation had a flaw that could be exploited. The issue was addressed by adding additional security checks to prevent evasion of the static_classes security policy (GitHub Commit).

The vulnerability could allow template authors to execute restricted static PHP methods, potentially leading to unauthorized code execution within the application context. This could compromise the security boundaries established by the Smarty template engine's security features (Debian Security, Gentoo Security).

Users were advised to upgrade to Smarty version 3.1.43 or 4.0.3 or later to receive the security patch. The fix was implemented across multiple distribution channels including Debian, Fedora, and Gentoo (Debian LTS, Fedora Update).