OS Command Injection Vulnerability in Amazon SageMaker Python SDK

CVE-2024-34073

What is CVE-2024-34073?

The sagemaker-python-sdk library, utilized for training and deploying machine learning models on Amazon SageMaker, has a prominent vulnerability allowing OS command injection. This issue arises in the 'capture_dependencies' function within the 'sagemaker.serve.save_retrive.version_1_0_0.save.utils' module when an inappropriate command is supplied as the ‘requirements_path’ parameter. If exploited, this flaw permits an unprivileged attacker to execute arbitrary commands, potentially leading to remote code execution and denial-of-service conditions that could compromise data confidentiality and integrity. It is crucial for users to upgrade to version 2.214.3 or later to prevent exploitation. For those unable to update, it is advised to avoid altering the 'requirements_path' parameter and instead use its default setting.

References