A high-severity code injection vulnerability has been disclosed in 23andMe’s Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, tracked as CVE-2021-38305 (CVSS score: 7.8), requires manipulating the schema file offered as input to the instrument to circumvent protections and reach code execution. Significantly, the issue resides in the schema parsing function, which permits any enter handed to be evaluated and executed, resulting in a situation the place a specifically-crafted string in the schema can be abused for the injection of program instructions.
Yamale is a Python deal that lets developers to validate YAML — a facts serialization language usually employed for producing configuration documents — from the command line. The bundle is utilised by at the very least 224 repositories on GitHub.
“This hole enables attackers that can supply an input schema file to accomplish Python code injection that potential customers to code execution with the privileges of the Yamale approach,” JFrog Security CTO Asaf Karas mentioned in an emailed assertion to The Hacker News. “We advocate sanitizing any input heading to eval() extensively and — preferably — replacing eval() phone calls with much more precise APIs necessary for your endeavor.”
Following liable disclosure, the issue has been rectified in Yamale edition 3..8. “This launch fixes a bug wherever a nicely-shaped schema file can execute arbitrary code on the method functioning Yamale,” the maintainers of Yamale noted in the launch notes posted on August 4.
The conclusions are the most up-to-date in a collection of security issues uncovered by JFrog in Python packages. In June 2021, Vdoo disclosed typosquatted deals in the PyPi repository that were being uncovered to obtain and execute third-party cryptominers these kinds of as T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on compromised systems.
Subsequently, the JFrog security group found 8 far more destructive Python libraries, which were being downloaded no much less than 30,000 situations, that could have been leveraged to execute remote code on the target device, obtain method data, siphon credit history card information and facts and passwords vehicle-saved in Chrome and Edge browsers, and even steal Discord authentication tokens.
“Software deal repositories are turning out to be a popular focus on for source chain attacks and there have been malware attacks on well-known repositories like npm, PyPI, and RubyGems,” the researchers mentioned. “From time to time malware packages are authorized to be uploaded to the bundle repository, supplying destructive actors the chance to use repositories to distribute viruses and start productive attacks on equally developer and CI/CD machines in the pipeline.”
Located this write-up fascinating? Follow THN on Fb, Twitter and LinkedIn to go through more exceptional content we article.
Some sections of this posting are sourced from: