Home / Companies / JFrog / Blog / Post Details
Content Deep Dive

23andMe’s Yamale Python code injection, and properly sanitizing eval()

Blog post from JFrog

Post Details
Company
Date Published
Author
Andrey Polkovneychenko and Shachar Menashe
Word Count
860
Company Posts That Month
8
Language
English
Hacker News Points
-
Post removed?
No
Summary

JFrog's security research team has identified a code injection vulnerability in Yamale, a widely-used YAML schema validator, under the CVE-2021-38305 designation. The vulnerability arises from the ability of attackers to manipulate the schema file, one of the mandatory parameters for Yamale, to execute arbitrary Python code due to its handling of the eval function. Despite efforts to limit vulnerabilities by restricting built-in functions, attackers can still leverage Python reflection to execute code. Yamale's maintainers addressed the issue by introducing a whitelist to sanitize input before evaluation, although using ast.literal_eval is recommended as a safer alternative. While remote exploitation is theoretically possible if an attacker can control the schema file, such scenarios are rare in production environments. The report highlights the importance of sanitizing eval inputs and praises Yamale's maintainers for their prompt response in addressing the security flaw.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.