Insufficient input validation in Yamale allows an attacker to perform Python code injection when processing a malicious schema file
Yamale (,3.0.8), fixed in 3.0.8
Yamale is a popular schema validator for YAML that’s used by over 200 repositories.
A code injection vulnerability occurs when parsing a malicious schema file, due to the parser.parse
method which invokes an insecure call to eval
with user-controlled input.
An attacker that can control the contents of the schema file that’s supplied to Yamale (-s/--schema
command line parameter), can provide a seemingly valid schema file that will cause arbitrary Python code to run.
This issue may be exploited remotely if some piece of the vendor code allows an attacker to control the schema file, for example:
subprocess.run(["yamale", "-s", remote_userinput, "/path/to/file_to_validate"])
This scenario is much more likely to be exploited as part of a parameter injection attack
No PoC is supplied for this issue
No vulnerability mitigations are supplied for this issue
(JFrog) Newly discovered code injection vulnerability in Yamale