Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7pc3-pr3q-58vg: sagemaker-python-sdk Command Injection vulnerability

Impact

The capture_dependencies function in sagemaker.serve.save_retrive.version_1_0_0.save.utils module before version 2.214.3 allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the “requirements_path” parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity.

Impacted versions: <2.214.3

Credit

We would like to thank HiddenLayer for collaborating on this issue through the coordinated vulnerability disclosure process.

Workarounds

Do not override the “requirements_path” parameter of capture_dependencies function in sagemaker.serve.save_retrive.version_1_0_0.save.utils, instead use the default value.

References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue. [1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Fixed by: https://github.com/aws/sagemaker-python-sdk/pull/4556

ghsa
#vulnerability#amazon#dos#git#rce#aws

Impact

The capture_dependencies function in sagemaker.serve.save_retrive.version_1_0_0.save.utils module before version 2.214.3 allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the “requirements_path” parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity.

Impacted versions: <2.214.3

Credit

We would like to thank HiddenLayer for collaborating on this issue through the coordinated vulnerability disclosure process.

Workarounds

Do not override the “requirements_path” parameter of capture_dependencies function in sagemaker.serve.save_retrive.version_1_0_0.save.utils, instead use the default value.

References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Fixed by: aws/sagemaker-python-sdk#4556

References

  • GHSA-7pc3-pr3q-58vg
  • https://nvd.nist.gov/vuln/detail/CVE-2024-34073
  • aws/sagemaker-python-sdk#4556
  • aws/sagemaker-python-sdk@2d873d5

ghsa: Latest News

GHSA-hxf5-99xg-86hw: cap-std doesn't fully sandbox all the Windows device filenames