CVE-2024-34073 – sagemaker

Package

Manager: pip
Name: sagemaker
Vulnerable Version: >=0 <2.214.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00293 pctl0.52189

Details

sagemaker-python-sdk Command Injection vulnerability ### Impact The capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module before version 2.214.3 allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the “requirements_path” parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity. Impacted versions: <2.214.3 ### Credit We would like to thank HiddenLayer for collaborating on this issue through the coordinated vulnerability disclosure process. ### Workarounds Do not override the “requirements_path” parameter of capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils`, instead use the default value. ### References If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue. [1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting Fixed by: https://github.com/aws/sagemaker-python-sdk/pull/4556

Metadata

Created: 2024-05-03T20:26:03Z
Modified: 2024-05-03T20:26:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7pc3-pr3q-58vg/GHSA-7pc3-pr3q-58vg.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-7pc3-pr3q-58vg
Finding: F404
Auto approve: 1