{"data":{"id":"ec7b0056-6507-41b2-93e2-e4d055e0106b","title":"CVE-2024-34073: sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. In affected ve","summary":"A vulnerability in sagemaker-python-sdk (a library for machine learning on Amazon SageMaker) allows OS command injection (running unauthorized system commands) if unsafe input is passed to the capture_dependencies function's requirements_path parameter, potentially letting attackers execute code remotely or disrupt service. The vulnerability affects versions before 2.214.3.","solution":"Upgrade to version 2.214.3 or later. Alternatively, users unable to upgrade should not override the \"requirements_path\" parameter of the capture_dependencies function and instead use the default value.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-34073","publishedAt":"2024-05-03T11:15:22.447Z","cveId":"CVE-2024-34073","cweIds":["CWE-78"],"cvssScore":"7.8","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["Amazon"],"affectedVendorsRaw":["Amazon SageMaker","sagemaker-python-sdk"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00397,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-88"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}