CVE-2024-34073: sagemaker-python-sdk Command Injection vulnerability
The capture_dependencies function in sagemaker.serve.save_retrive.version_1_0_0.save.utils module before version 2.214.3 allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the “requirements_path” parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity.
Impacted versions: <2.214.3
References
- github.com/advisories/GHSA-7pc3-pr3q-58vg
- github.com/aws/sagemaker-python-sdk
- github.com/aws/sagemaker-python-sdk/commit/2d873d53f708ea570fc2e2a6974f8c3097fe9df5
- github.com/aws/sagemaker-python-sdk/pull/4556
- github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-7pc3-pr3q-58vg
- nvd.nist.gov/vuln/detail/CVE-2024-34073
Code Behaviors & Features
Detect and mitigate CVE-2024-34073 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →