CVE-2021-27213

Vulnerability

In pystemon before commit dbeb87afefdb63de2f4cff69b6f10c5965d14b54 (2021-02-13), the _load_yamlconfig function in config.py used yaml.load() with Loader=yaml.FullLoader (or the default Loader for older PyYAML) instead of yaml.safe_load() or yaml.load(..., Loader=yaml.SafeLoader). This allowed arbitrary code execution via deserialization of untrusted YAML data [1].

Exploitation

An attacker who can provide a malicious YAML configuration file to pystemon (e.g., by controlling the configuration input or supply-chain attack) can craft a YAML payload that executes arbitrary Python code when parsed by the vulnerable yaml.load(). No authentication is required if the attacker has file write access to the configuration path [1].

Impact

Successful exploitation yields arbitrary code execution on the server running pystemon with the privileges of the process, potentially leading to full system compromise [1].

Mitigation

The fix was committed on 2021-02-13 in commit dbeb87afefdb63de2f4cff69b6f10c5965d14b54, replacing yaml.load() with yaml.safe_load() and yaml.load(..., Loader=yaml.SafeLoader). Users should update to the latest version of pystemon containing this commit. No workaround is available other than upgrading [1].