Security News > 2021 > October > Code Execution Bug Affects Yamale Python Package — Used by Over 200 Projects
A high-severity code injection vulnerability has been disclosed in 23andMe's Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, tracked as CVE-2021-38305, involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution.
Yamale is a Python package that allows developers to validate YAML - a data serialization language often used for writing configuration files - from the command line.
"This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execution with the privileges of the Yamale process," JFrog Security CTO Asaf Karas said in an emailed statement to The Hacker News.
"This release fixes a bug where a well-formed schema file can execute arbitrary code on the system running Yamale," the maintainers of Yamale noted in the release notes published on August 4.
Subsequently, the JFrog security team discovered eight more malicious Python libraries, which were downloaded no fewer than 30,000 times, that could have been leveraged to execute remote code on the target machine, gather system information, siphon credit card information and passwords auto-saved in Chrome and Edge browsers, and even steal Discord authentication tokens.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/k1YJIDrqCq8/code-execution-bug-affects-yamale.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-09 | CVE-2021-38305 | Unrestricted Upload of File with Dangerous Type vulnerability in 23Andme Yamale 23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. | 9.3 |