Description
23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. The schema parser uses eval as part of its processing, and tries to protect from malicious expressions by limiting the builtins that are passed to the eval. When processing the schema, each line is run through Python's eval function to make the validator available. A well-constructed string within the schema rules can execute system commands; thus, by exploiting the vulnerability, an attacker can run arbitrary code on the image that invokes Yamale.
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/23andMe/Yamale/releases/tag/3.0.8
Patch, Third Party Advisory x_refsource_misc
https://github.com/23andMe/Yamale/pull/165
Scores
CVSS v3
7.8
EPSS
0.0086
EPSS Percentile
75.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (2)
23andme/yamale
< 3.0.8
pypi/yamale
0 - 3.0.8PyPI
Published
Aug 09, 2021
Tracked Since
Feb 18, 2026