In 23andMe’s Yamale, a YAML schema and validator, a highseverity code injection vulnerability was discovered that may be easily abused by attackers to execute arbitrary Python code.
To get around protections and execute code, the defect manipulates the schema file provided as input to the tool. The flaw is in the schema parsing function, which allows any input to be parsed and executed, which can be used for system command injection.