CVE-2024-34072

Name of the Vulnerable Software and Affected Versions sagemaker-python-sdk versions prior to 2.218.0

Description The issue concerns potentially unsafe deserialization in the sagemaker.base deserializers.NumpyDeserializer module when untrusted data is passed as pickled object arrays. This may allow an unprivileged third party to cause remote code execution or denial of service, affecting both confidentiality and integrity.

Recommendations For versions prior to 2.218.0, upgrade to version 2.218.0 to resolve the issue. For users unable to upgrade, do not pass pickled numpy object arrays which originated from an untrusted source, or that could have been tampered with. Only pass pickled numpy object arrays from trusted sources.