OS Command Injection Vulnerability in Amazon SageMaker Python SDK
CVE-2024-34073
What is CVE-2024-34073?
The sagemaker-python-sdk library, utilized for training and deploying machine learning models on Amazon SageMaker, has a prominent vulnerability allowing OS command injection. This issue arises in the 'capture_dependencies' function within the 'sagemaker.serve.save_retrive.version_1_0_0.save.utils' module when an inappropriate command is supplied as the ‘requirements_path’ parameter. If exploited, this flaw permits an unprivileged attacker to execute arbitrary commands, potentially leading to remote code execution and denial-of-service conditions that could compromise data confidentiality and integrity. It is crucial for users to upgrade to version 2.214.3 or later to prevent exploitation. For those unable to update, it is advised to avoid altering the 'requirements_path' parameter and instead use its default setting.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.