CVE-2021-38305

23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. The schema parser uses eval as part of its processing, and tries to protect from malicious expressions by limiting the builtins that are passed to the eval. When processing the schema, each line is run through Python's eval function to make the validator available. A well-constructed string within the schema rules can execute system commands; thus, by exploiting the vulnerability, an attacker can run arbitrary code on the image that invokes Yamale.
References
Link Resource
https://github.com/23andMe/Yamale/pull/165 Patch Third Party Advisory
https://github.com/23andMe/Yamale/releases/tag/3.0.8 Release Notes Third Party Advisory
https://github.com/23andMe/Yamale/pull/165 Patch Third Party Advisory
https://github.com/23andMe/Yamale/releases/tag/3.0.8 Release Notes Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:23andme:yamale:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:16

Type Values Removed Values Added
References () https://github.com/23andMe/Yamale/pull/165 - Patch, Third Party Advisory () https://github.com/23andMe/Yamale/pull/165 - Patch, Third Party Advisory
References () https://github.com/23andMe/Yamale/releases/tag/3.0.8 - Release Notes, Third Party Advisory () https://github.com/23andMe/Yamale/releases/tag/3.0.8 - Release Notes, Third Party Advisory

17 Aug 2021, 18:46

Type Values Removed Values Added
References (MISC) https://github.com/23andMe/Yamale/releases/tag/3.0.8 - (MISC) https://github.com/23andMe/Yamale/releases/tag/3.0.8 - Release Notes, Third Party Advisory
References (MISC) https://github.com/23andMe/Yamale/pull/165 - (MISC) https://github.com/23andMe/Yamale/pull/165 - Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 9.3
v3 : 7.8
CWE CWE-434
CPE cpe:2.3:a:23andme:yamale:*:*:*:*:*:*:*:*

09 Aug 2021, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-08-09 21:15

Updated : 2024-11-21 06:16


NVD link : CVE-2021-38305

Mitre link : CVE-2021-38305

CVE.ORG link : CVE-2021-38305


JSON object : View

Products Affected

23andme

  • yamale
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type