Code Execution Bug Affects Yamale Python Package — Used by Over 200 Projects
1 min read
Oct 07, 2021
A high-severity code injection vulnerability has been disclosed in 23andMe's Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code.The flaw, tracked as CVE-2021-38305 (CVSS score: 7.8), involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution.
Particularly, the issue resides in the schema parsing function, which allows any input passed to be evaluated and executed, resulting in a scenario where a specially-crafted string within the schema can be abused for the injection of system commands.
Yamale is a Python package that allows developers to validate YAML — a data serialization language often used for writing configuration files — from the command line. The package is used by at least 224 repositories on GitHub.
The link for this article located at The Hacker News is no longer available.
Related Articles
1 - 0 min read
Ubuntu Tool Could Trick Users Into Installing Rogue Packages
1 - 0 min read
Joomla XSS Bug Puts Millions of Websites at Risk of RCE
1 - 0 min read
Debian and Ubuntu Fix More OpenSSH Vulnerabilities
