Security researchers at JFrog, have recently exposed a code injection vulnerability in Yamale, a schema and validator for YAML, that could easily be exploited by an attacker to execute arbitrary Python code.
The issue tracked as CVE-2021-38305 (CVSS score: 7.8), allows hackers to circumvent existing protections and execute arbitrary Python code by exploiting the schema file provided as input to Yamale, JFrog security researchers explained.
Yamale is a Python package that allows manufacturers to validate YAML (a data serialization language for writing configuration files) from the command line. The popular package is used by at least 224 repositories On GitHub.
"This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execution with the privileges of the Yamale process. We recommend sanitizing any input going to eval() extensively and — preferably — replacing eval() calls with more specific APIs required for your task,” JFrog Security CTO Asaf Karas stated.
According to researchers, the vulnerability has been patched in Yamale version 3.0.8. "This release fixes a bug where a well-formed schema file can execute arbitrary code on the system running Yamale," the developers of Yamale noted.
The findings are the latest in a series of security flaws unearthed by JFrog in Python packages. In June 2021, Yamale revealed typo squatted packages in the PyPi repository that were identified to download and implement third-party cryptominers such as T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on exploited devices.
Soon after, the JFrog security researchers uncovered eight more malicious Python libraries, downloaded over 30,000 times, that could have been exploited to implement remote code on the targeted device, collect system data, automatically store credit card information and passwords in Chrome and Edge browsers, and even steal Discord authentication tokens.
"Software package repositories are becoming a popular target for supply chain attacks and there have been malware attacks on popular repositories like npm, PyPI, and RubyGems," the researchers said. "Sometimes malware packages are allowed to be uploaded to the package repository, giving malicious actors the opportunity to use repositories to distribute viruses and launch successful attacks on both developer and CI/CD machines in the pipeline."