Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQzNXAtZjgyeC1teHdt
Command injection in Yamale
23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. The schema parser uses eval as part of its processing, and tries to protect from malicious expressions by limiting the builtins that are passed to the eval. When processing the schema, each line is run through Python's eval function to make the validator available. A well-constructed string within the schema rules can execute system commands; thus, by exploiting the vulnerability, an attacker can run arbitrary code on the image that invokes Yamale.
Permalink: https://github.com/advisories/GHSA-435p-f82x-mxwmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQzNXAtZjgyeC1teHdt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-435p-f82x-mxwm, CVE-2021-38305
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-38305
- https://github.com/23andMe/Yamale/pull/165
- https://github.com/23andMe/Yamale/releases/tag/3.0.8
- https://github.com/advisories/GHSA-435p-f82x-mxwm
Blast Radius: 19.0
Affected Packages
pypi:yamale
Dependent packages: 30Dependent repositories: 275
Downloads: 1,290,521 last month
Affected Version Ranges: < 3.0.8
Fixed in: 3.0.8
All affected versions: 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 2.0.1, 2.1.0, 2.2.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7
All unaffected versions: 3.0.8, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 5.0.0, 5.1.0, 5.2.0, 5.2.1