A high-severity code injection vulnerability has been disclosed in 23andMe’s Yamale. The flaw involves manipulating the schema file provided as input to the tool to execute arbitrary Python code. The vulnerability resides in the Schema parsing function, which allows any input passed to be evaluated and executed. The findings are the latest in a series of security issues uncovered by JFrog in Python packages. In June 2021, Vdoo disclosed typosquatted packages in the PyPi repository that were found to download and execute third-party cryptominers such as T-Rex, ubqminer, or PhoenixMiner.”]
Source: https://thehackernews.com/2021/10/code-execution-bug-affects-yamale.html