Products
sagemaker-python-sdk
- before v2.218.0
Source
security-advisories@github.com
Tags
CVE-2024-34072 details
Last Modified : May 3, 2024, 12:48 p.m.
Description
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity. Users are advised to upgrade to version 2.218.0. Users unable to upgrade should not pass pickled numpy object arrays which originated from an untrusted source, or that could have been tampered with. Only pass pickled numpy object arrays from trusted sources.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7.8 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
7.8
Exploitability Score
Impact Score
Base Severity
HIGH
Vector String : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
URL | Source |
---|---|
https://github.com/aws/sagemaker-python-sdk/pull/4557 | security-advisories@github.com |
https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-wjvx-jhpj-r54r | security-advisories@github.com |