A high-severity code injection vulnerability has been disclosed in 23andMe’s Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, tracked as CVE-2021-38305 (CVSS score: 7.8), consists of manipulating the schema file presented as input to the software to circumvent protections and accomplish code execution. Notably, the challenge resides in the schema parsing purpose, which makes it possible for any input passed to be evaluated and executed, ensuing in a circumstance in which a specially-crafted string inside of the schema can be abused for the injection of technique commands.
Yamale is a Python offer that permits builders to validate YAML — a facts serialization language typically used for writing configuration files — from the command line. The package deal is applied by at minimum 224 repositories on GitHub.
“This gap enables attackers that can supply an enter schema file to carry out Python code injection that prospects to code execution with the privileges of the Yamale procedure,” JFrog Stability CTO Asaf Karas reported in an emailed assertion to The Hacker Information. “We recommend sanitizing any input heading to eval() thoroughly and — if possible — replacing eval() calls with a lot more precise APIs required for your endeavor.”
Subsequent liable disclosure, the concern has been rectified in Yamale edition 3..8. “This release fixes a bug in which a very well-fashioned schema file can execute arbitrary code on the procedure running Yamale,” the maintainers of Yamale noted in the release notes posted on August 4.
The findings are the most current in a series of security troubles uncovered by JFrog in Python packages. In June 2021, Vdoo disclosed typosquatted offers in the PyPi repository that ended up located to download and execute third-get together cryptominers these as T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on compromised programs.
Subsequently, the JFrog stability crew uncovered 8 additional destructive Python libraries, which had been downloaded no fewer than 30,000 moments, that could have been leveraged to execute distant code on the target device, acquire system details, siphon credit card information and facts and passwords car-saved in Chrome and Edge browsers, and even steal Discord authentication tokens.
“Software package package repositories are getting a well-liked target for offer chain assaults and there have been malware assaults on preferred repositories like npm, PyPI, and RubyGems,” the researchers stated. “Often malware offers are allowed to be uploaded to the package repository, providing malicious actors the option to use repositories to distribute viruses and start effective attacks on equally developer and CI/CD machines in the pipeline.”