CVE-2021-38305

HIGH Year: 2021
CVSS v3 Score
7.8
High
CVSS v2 Score
9.3
Critical
Weakness Type
CWE-434
View all →

Vulnerability Description

23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. The schema parser uses eval as part of its processing, and tries to protect from malicious expressions by limiting the builtins that are passed to the eval. When processing the schema, each line is run through Python's eval function to make the validator available. A well-constructed string within the schema rules can execute system commands; thus, by exploiting the vulnerability, an attacker can run arbitrary code on the image that invokes Yamale.

Related Vulnerabilities

CVE-2010-4661

HIGH
CVSS:7.8(High)

udisks before 1.0.3 allows a local user to load arbitrary Linux kernel modules.

CWE-4342010

CVE-2015-0796

HIGH
CVSS:7.8(High)

In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before 2.4.8 the source service patch application could generate non-standard files like symlinks or device nodes, which could allow bui...

CWE-4342015

CVE-2015-1000013

HIGH
CVSS:7.8(High)

Remote file upload vulnerability in wordpress plugin csv2wpec-coupon v1.1

CWE-4342015

CVE-2015-7571

HIGH
CVSS:7.8(High)

Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension.

CWE-4342015

CVE-2017-13156

HIGH
CVSS:7.8(High)

An elevation of privilege vulnerability in the Android system (art). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-64211847.

CWE-4342017

CVE-2017-2699

HIGH
CVSS:7.8(High)

The Huawei Themes APP in versions earlier than PLK-UL00C17B385, versions earlier than CRR-L09C432B380, versions earlier than LYO-L21C577B128 has a privilege elevation vulnerability. An attacker could ...

CWE-4342017