{"id":"GHSA-7pc3-pr3q-58vg","summary":"sagemaker-python-sdk Command Injection vulnerability","details":"### Impact\n\nThe capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module before version 2.214.3 allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the “requirements_path” parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity.\n\nImpacted versions: \u003c2.214.3\n\n### Credit\n\nWe would like to thank HiddenLayer for collaborating on this issue through the coordinated vulnerability disclosure process.\n\n### Workarounds\n\nDo not override the “requirements_path” parameter of capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils`, instead use the default value.\n\n### References\n\nIf you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.\n[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting\n\nFixed by: https://github.com/aws/sagemaker-python-sdk/pull/4556","aliases":["CVE-2024-34073"],"modified":"2024-05-03T20:41:33.791524Z","published":"2024-05-03T20:26:03Z","database_specific":{"github_reviewed_at":"2024-05-03T20:26:03Z","severity":"HIGH","github_reviewed":true,"nvd_published_at":"2024-05-03T11:15:22Z","cwe_ids":["CWE-78"]},"references":[{"type":"WEB","url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-7pc3-pr3q-58vg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34073"},{"type":"WEB","url":"https://github.com/aws/sagemaker-python-sdk/pull/4556"},{"type":"WEB","url":"https://github.com/aws/sagemaker-python-sdk/commit/2d873d53f708ea570fc2e2a6974f8c3097fe9df5"},{"type":"PACKAGE","url":"https://github.com/aws/sagemaker-python-sdk"}],"affected":[{"package":{"name":"sagemaker","ecosystem":"PyPI","purl":"pkg:pypi/sagemaker"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.214.3"}]}],"versions":["1.0.0","1.0.1","1.0.2","1.1.0","1.1.1","1.1.2","1.1.3","1.10.0","1.10.1","1.11.0","1.11.1","1.11.2","1.11.3","1.12.0","1.13.0","1.14.0","1.14.1","1.14.2","1.15.0","1.15.1","1.15.2","1.16.1","1.16.1.post1","1.16.2","1.16.3","1.17.0","1.17.1","1.17.2","1.18.0","1.18.1","1.18.10","1.18.11","1.18.12","1.18.13","1.18.14","1.18.14.post0","1.18.14.post1","1.18.15","1.18.16","1.18.17","1.18.18","1.18.19","1.18.2","1.18.3","1.18.3.post1","1.18.4","1.18.5","1.18.6.post0","1.18.7","1.18.8","1.18.9","1.18.9.post0","1.18.9.post1","1.19.0","1.19.1","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.20.0","1.20.1","1.20.2","1.20.3","1.21.0","1.21.1","1.21.2","1.22.0","1.23.0","1.24.0","1.25.0","1.25.1","1.26.0","1.27.0","1.28.0","1.28.1","1.28.2","1.28.3","1.29.0","1.3.0","1.30.0","1.31.0","1.31.1","1.32.0","1.32.1","1.32.2","1.33.0","1.34.0","1.34.1","1.34.2","1.34.3","1.35.0","1.35.1","1.36.0","1.36.1","1.36.2","1.36.3","1.36.4","1.37.0","1.37.1","1.37.2","1.38.0","1.38.1","1.38.2","1.38.3","1.38.4","1.38.5","1.38.6","1.39.0","1.39.1","1.39.2","1.39.3","1.39.4","1.4.0","1.4.1","1.4.2","1.40.0","1.40.1","1.40.2","1.41.0","1.42.0","1.42.1","1.42.2","1.42.3","1.42.4","1.42.5","1.42.6","1.42.6.post0","1.42.7","1.42.8","1.42.9","1.43.0","1.43.1","1.43.2","1.43.3","1.43.4","1.43.4.post0","1.43.4.post1","1.43.5","1.44.0","1.44.1","1.44.2","1.44.3","1.44.4","1.45.0","1.45.1","1.45.2","1.46.0","1.47.1","1.48.0","1.48.1","1.49.0","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.50.0","1.50.1","1.50.10","1.50.10.post0","1.50.11","1.50.12","1.50.13","1.50.14","1.50.14.post0","1.50.15","1.50.16","1.50.17","1.50.17.post0","1.50.18","1.50.18.post0","1.50.2","1.50.3","1.50.4","1.50.5","1.50.6","1.50.6.post0","1.50.7","1.50.8","1.50.9","1.50.9.post0","1.51.0","1.51.1","1.51.2","1.51.3","1.51.4","1.52.0","1.52.0.post0","1.52.1","1.53.0","1.54.0","1.55.0","1.55.0.post0","1.55.1","1.55.2","1.55.3","1.55.4","1.56.0","1.56.1","1.56.1.post0","1.56.1.post1","1.56.2","1.56.3","1.57.0","1.58.0","1.58.1","1.58.2","1.58.2.post0","1.58.3","1.58.4","1.59.0","1.6.0","1.6.1","1.60.0","1.60.0.post0","1.60.1","1.60.2","1.61.0","1.62.0","1.63.0","1.64.0","1.64.1","1.65.0","1.65.1","1.65.1.post0","1.65.1.post1","1.66.0","1.67.0","1.67.1","1.67.1.post0","1.68.0","1.69.0","1.7.0","1.7.1","1.7.2","1.70.0","1.70.1","1.70.2","1.71.0","1.71.1","1.72.0","1.72.1","1.8.0","1.9.0","1.9.1","1.9.2","1.9.3","1.9.3.1","2.0.0","2.0.1","2.1.0","2.10.0","2.100.0","2.101.1","2.102.0","2.103.0","2.104.0","2.105.0","2.106.0","2.107.0","2.108.0","2.109.0","2.11.0","2.110.0","2.111.0","2.112.0","2.112.1","2.112.2","2.113.0","2.114.0","2.115.0","2.116.0","2.117.0","2.118.0","2.119.0","2.12.0","2.120.0","2.121.0","2.121.1","2.121.2","2.122.0","2.122.1.dev0","2.123.0","2.124.0","2.125.0","2.126.0","2.127.0","2.128.0","2.129.0","2.13.0","2.130.0","2.131.0","2.131.1","2.132.0","2.133.0","2.134.0","2.134.1","2.135.0","2.135.1","2.135.1.post0","2.136.0","2.137.0","2.138.0","2.139.0","2.14.0","2.140.0","2.140.1","2.141.0","2.142.0","2.143.0","2.144.0","2.145.0","2.146.0","2.146.1","2.147.0","2.148.0","2.149.0","2.15.0","2.15.1","2.15.2","2.15.3","2.15.4","2.150.0","2.151.0","2.152.0","2.153.0","2.154.0","2.155.0","2.156.0","2.157.0","2.158.0","2.159.0","2.16.0","2.16.0.post0","2.16.1","2.16.2","2.16.3","2.16.3.post0","2.16.4","2.160.0","2.161.0","2.162.0","2.163.0","2.164.0","2.165.0","2.166.0","2.167.0","2.168.0","2.169.0","2.17.0","2.170.0","2.171.0","2.172.0","2.173.0","2.174.0","2.175.0","2.176.0","2.177.0","2.177.1","2.178.0","2.179.0","2.18.0","2.180.0","2.181.0","2.182.0","2.183.0","2.184.0","2.184.0.post0","2.185.0","2.186.0","2.187.0","2.188.0","2.189.0","2.19.0","2.190.0","2.191.0","2.192.0","2.192.1","2.193.0","2.194.0","2.195.0","2.195.1","2.196.0","2.197.0","2.197.1","2.198.0","2.198.1","2.199.0","2.2.0","2.20.0","2.200.0","2.200.1","2.201.0","2.202.0","2.202.1","2.203.0","2.203.1","2.204.0","2.205.0","2.206.0","2.207.0","2.207.1","2.208.0","2.209.0","2.21.0","2.210.0","2.211.0","2.212.0","2.213.0","2.214.0","2.214.1","2.214.2","2.22.0","2.23.0","2.23.1","2.23.2","2.23.3","2.23.4","2.23.4.post0","2.23.5","2.23.6","2.24.0","2.24.1","2.24.2","2.24.3","2.24.4","2.24.5","2.25.0","2.25.1","2.25.2","2.26.0","2.27.0","2.27.1","2.28.0","2.29.0","2.29.1","2.29.2","2.3.0","2.30.0","2.31.0","2.31.1","2.32.0","2.32.1","2.33.0","2.34.0","2.35.0","2.36.0","2.37.0","2.38.0","2.39.0","2.39.0.post0","2.39.1","2.4.0","2.4.1","2.4.2","2.40.0","2.41.0","2.42.0","2.42.1","2.43.0","2.44.0","2.45.0","2.46.0","2.46.1","2.47.0","2.47.1","2.47.2","2.47.2.post0","2.48.0","2.48.1","2.48.2","2.49.0","2.49.1","2.49.2","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.50.0","2.50.1","2.51.0","2.52.0","2.52.1","2.52.2","2.52.2.post0","2.53.0","2.54.0","2.54.1.dev0","2.55.0","2.56.0","2.57.0","2.58.0","2.59.0","2.59.1","2.59.1.post0","2.59.2","2.59.3","2.59.3.post0","2.59.4","2.59.5","2.59.6","2.59.7","2.59.8","2.6.0","2.60.0","2.61.0","2.62.0","2.63.0","2.63.1","2.63.2","2.64.0","2.65.0","2.66.0","2.66.1","2.66.2","2.66.2.post0","2.67.0","2.68.0","2.69.0","2.7.0","2.70.0","2.71.0","2.72.0","2.72.1","2.72.2","2.72.3","2.73.0","2.74.0","2.75.0","2.75.1","2.76.0","2.77.0","2.77.1","2.78.0","2.79.0","2.8.0","2.80.0","2.81.0","2.81.1","2.82.0","2.82.1","2.82.2","2.83.0","2.84.0","2.85.0","2.86.0","2.86.1","2.86.2","2.87.0","2.88.0","2.88.1","2.88.2","2.88.3","2.89.0","2.9.0","2.9.1","2.9.2","2.90.0","2.91.0","2.91.1","2.92.0","2.92.1","2.92.2","2.93.0","2.93.1","2.94.0","2.95.0","2.96.0","2.97.0","2.98.0","2.99.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7pc3-pr3q-58vg/GHSA-7pc3-pr3q-58vg.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}