CVE-2024-34073

Name of the Vulnerable Software and Affected Versions sagemaker-python-sdk versions prior to 2.214.3

Description The capture dependencies function in the sagemaker.serve.save retrive.version 1 0 0.save.utils module allows for potentially unsafe Operating System (OS) Command Injection if an inappropriate command is passed as the requirements path parameter. This may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity.

Recommendations For versions prior to 2.214.3, upgrade to version 2.214.3 or later. As a temporary workaround for users unable to upgrade, do not override the requirements path parameter of the capture dependencies function in sagemaker.serve.save retrive.version 1 0 0.save.utils, and instead use the default value.