{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35832?format=json","vulnerability_id":"VCID-erwm-mscq-9yer","summary":"23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. The schema parser uses eval as part of its processing, and tries to protect from malicious expressions by limiting the builtins that are passed to the eval. When processing the schema, each line is run through Python's eval function to make the validator available. A well-constructed string within the schema rules can execute system commands; thus, by exploiting the vulnerability, an attacker can run arbitrary code on the image that invokes Yamale.","aliases":[{"alias":"CVE-2021-38305"},{"alias":"GHSA-435p-f82x-mxwm"},{"alias":"PYSEC-2021-119"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22934?format=json","purl":"pkg:pypi/yamale@3.0.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@3.0.8"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22897?format=json","purl":"pkg:pypi/yamale@1.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/22898?format=json","purl":"pkg:pypi/yamale@1.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22899?format=json","purl":"pkg:pypi/yamale@1.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/22900?format=json","purl":"pkg:pypi/yamale@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22901?format=json","purl":"pkg:pypi/yamale@1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/22902?format=json","purl":"pkg:pypi/yamale@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22903?format=json","purl":"pkg:pypi/yamale@1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/22904?format=json","purl":"pkg:pypi/yamale@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22905?format=json","purl":"pkg:pypi/yamale@1.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.5.2"},{"url":"http://public2.vulnerablecode.io/api/packages/22906?format=json","purl":"pkg:pypi/yamale@1.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.5.3"},{"url":"http://public2.vulnerablecode.io/api/packages/22907?format=json","purl":"pkg:pypi/yamale@1.5.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.5.4"},{"url":"http://public2.vulnerablecode.io/api/packages/22908?format=json","purl":"pkg:pypi/yamale@1.5.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.5.5"},{"url":"http://public2.vulnerablecode.io/api/packages/22909?format=json","purl":"pkg:pypi/yamale@1.5.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/22910?format=json","purl":"pkg:pypi/yamale@1.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22911?format=json","purl":"pkg:pypi/yamale@1.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.6.1"},{"url":"http://public2.vulnerablecode.io/api/packages/22912?format=json","purl":"pkg:pypi/yamale@1.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/22913?format=json","purl":"pkg:pypi/yamale@1.6.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.6.3"},{"url":"http://public2.vulnerablecode.io/api/packages/22914?format=json","purl":"pkg:pypi/yamale@1.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.6.4"},{"url":"http://public2.vulnerablecode.io/api/packages/22915?format=json","purl":"pkg:pypi/yamale@1.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22916?format=json","purl":"pkg:pypi/yamale@1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/22917?format=json","purl":"pkg:pypi/yamale@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.8.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22918?format=json","purl":"pkg:pypi/yamale@1.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/22919?format=json","purl":"pkg:pypi/yamale@1.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22920?format=json","purl":"pkg:pypi/yamale@1.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.10.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22921?format=json","purl":"pkg:pypi/yamale@1.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@1.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/22922?format=json","purl":"pkg:pypi/yamale@2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22923?format=json","purl":"pkg:pypi/yamale@2.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@2.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/22924?format=json","purl":"pkg:pypi/yamale@2.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@2.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22925?format=json","purl":"pkg:pypi/yamale@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@2.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22926?format=json","purl":"pkg:pypi/yamale@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@3.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/22927?format=json","purl":"pkg:pypi/yamale@3.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@3.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/22928?format=json","purl":"pkg:pypi/yamale@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@3.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/22929?format=json","purl":"pkg:pypi/yamale@3.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@3.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/22930?format=json","purl":"pkg:pypi/yamale@3.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@3.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/22931?format=json","purl":"pkg:pypi/yamale@3.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@3.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/22932?format=json","purl":"pkg:pypi/yamale@3.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@3.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/22933?format=json","purl":"pkg:pypi/yamale@3.0.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-erwm-mscq-9yer"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/yamale@3.0.7"}],"references":[{"reference_url":"https://github.com/23andMe/Yamale","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/23andMe/Yamale"},{"reference_url":"https://github.com/23andMe/Yamale/pull/165","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/23andMe/Yamale/pull/165"},{"reference_url":"https://github.com/23andMe/Yamale/releases/tag/3.0.8","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/23andMe/Yamale/releases/tag/3.0.8"},{"reference_url":"https://github.com/advisories/GHSA-435p-f82x-mxwm","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-435p-f82x-mxwm"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/yamale/PYSEC-2021-119.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/yamale/PYSEC-2021-119.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38305","reference_id":"CVE-2021-38305","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38305"}],"weaknesses":[{"cwe_id":434,"name":"Unrestricted Upload of File with Dangerous Type","description":"The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment."},{"cwe_id":78,"name":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","description":"The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-erwm-mscq-9yer"}