JFrog Security Research

XRAY-182135 - Yamale schema code injection

CVE-2021-38305 | CVSS 7.8

JFrog Severity:high

Published 5 Oct. 2021 | Last updated 5 Oct. 2021

Insufficient input validation in Yamale allows an attacker to perform Python code injection when processing a malicious schema file


Yamale (,3.0.8), fixed in 3.0.8

Yamale is a popular schema validator for YAML that’s used by over 200 repositories.

A code injection vulnerability occurs when parsing a malicious schema file, due to the parser.parse method which invokes an insecure call to eval with user-controlled input.

An attacker that can control the contents of the schema file that’s supplied to Yamale (-s/--schema command line parameter), can provide a seemingly valid schema file that will cause arbitrary Python code to run.

This issue may be exploited remotely if some piece of the vendor code allows an attacker to control the schema file, for example:

subprocess.run(["yamale", "-s", remote_userinput, "/path/to/file_to_validate"])

This scenario is much more likely to be exploited as part of a parameter injection attack

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

(JFrog) Newly discovered code injection vulnerability in Yamale