In 23andMe’s Yamale, a YAML schema and validator, a high-severity code injection vulnerability was discovered that might be easily abused by attackers to spread malicious Python code.
The issue, CVE-2021-38305 (CVSS of 7.8), includes altering the schema file supplied as input to the tool to bypass security and launch code execution.
The problem is centered in the schema parsing function, which allows any input to be processed and executed, potentially allowing system instructions to be injected through a carefully constructed string within the schema.
Yamale is a Python module that allows developers to verify YAML files from the command line. YAML is a data serialization language commonly used for creating configuration files. On GitHub, the package is employed by at least 224 projects.
This flaw allows attackers to access an input schema file to inject Python code, resulting in code execution with Yamale process privileges. It is suggested that any input to eval() be thoroughly sanitized and that eval() calls be replaced with more specialized APIs necessary for the purpose.
The problem has been fixed in Yamale version 3.0.8 as a result of responsible disclosure. “This version solves a problem where a well-formed schema file on a Yamale-running machine can execute arbitrary code,” the Yamale maintainers wrote in the release notes on August 4.
This discovery is the newest in a series of security flaws in Python packages discovered by JFrog. The JFrog security team has found eight additional malicious Python libraries, totaling 30,000 downloads.
They might have been used to run remote code on the target PC, collect system data, steal credit card information and passwords saved automatically in Chrome and Edge browsers, and even capture Discord authentication tokens.