Remote Code Execution Vulnerability in SageMaker Python SDK by AWS
CVE-2024-34072

Currently unrated

Key Information:

Vendor: AWS
Status: SageMaker Python SDK
Vendor: CVE Published:; 3 May 2024

What is CVE-2024-34072?

The SageMaker Python SDK, utilized for training and deploying machine learning models on Amazon SageMaker, contains a deserialization flaw in the 'sagemaker.base_deserializers.NumpyDeserializer' module prior to version 2.218.0. This vulnerability allows for unsafe deserialization of untrusted pickled numpy object arrays, potentially enabling unprivileged attackers to execute remote code or trigger denial of service attacks. This situation could compromise the confidentiality and integrity of the system. Users are strongly encouraged to update to version 2.218.0 or later to mitigate this risk. If upgrading is not feasible, it is critical to avoid processing pickled numpy object arrays from untrusted or potentially compromised sources.

References

https://github.com/aws/sagemaker-python-sdk/security/advi...

https://github.com/aws/sagemaker-python-sdk/pull/4557

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2024