Yamale the Python package that allows developers to validate YAML – a data serialization language often used for writing configuration files has been discovered to be having a high severity code injection vulnerability that could be trivially exploited by adversaries to execute arbitrary Python code.
The flaw tracked as CVE-2021-38305 (CVSS score: 7.8) involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution.
The issue raised in the schema parsing function, which allows any input passed to be evaluated and executed resulting in a scenario where a specially-crafted string within the schema can be abused for the injection of system commands.
Following three disclosure, the issue has been rectified in Yamale version 3.0.8. “This release fixes a bug where a well-formed schema file can execute arbitrary code on the system running Yamale”.
This discovery is coming amidst series of security issues uncovered by JFrog in Python packages. In June 2021, Vdoo disclosed typosquatted packages in the PYPI repository that we found to download and execute third-party cryptominers such as T-Rex, ubqminer, or PhoenixMiner for mining Ehtereum and Ubiq on compromised systems.
JFrog security team also discovered eight more malicious Python libraries which were downloaded no fewer than 30,000 times, that could have been leveraged to execute remote code on the target machine, gather system information, siphon credit card information and passwords auto-saved in Chrome and Edge browsers and even steal Discord authhentication tokens.
Software Package repository is becoming a popular target for supply chain attacks and there have been malware attacks on popular repositories like npm, PyPI and RubyGems. Malware packages are allowed to be uploaded to the package repository, giving malicious actors the opportunity to use repositories to distribute viruses and launch successful attacks on both developer and CI/CD machines in the pipeline.