Search for packages
| purl | pkg:pypi/sagemaker@2.169.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2zjb-zcsj-n3bh
Aliases: GHSA-5r2p-pjr8-7fh7 |
SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality |
Affected by 0 other vulnerabilities. |
|
VCID-9bsc-uy28-skcp
Aliases: CVE-2026-1778 GHSA-62rc-f4v9-h543 |
Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed. |
Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-c8p2-hu11-uqfy
Aliases: CVE-2024-34073 GHSA-7pc3-pr3q-58vg |
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. In affected versions the capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the “requirements_path” parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity. This issue has been addressed in version 2.214.3. Users are advised to upgrade. Users unable to upgrade should not override the “requirements_path” parameter of capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils`, and instead use the default value. |
Affected by 5 other vulnerabilities. |
|
VCID-hm7p-vy71-vucv
Aliases: CVE-2026-1777 GHSA-rjrp-m2jw-pv9c |
The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location may have the ability to upload arbitrary artifacts which are executed the next time the Training Job is invoked. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-qxw3-juyf-eqfm
Aliases: CVE-2024-34072 GHSA-wjvx-jhpj-r54r |
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity. Users are advised to upgrade to version 2.218.0. Users unable to upgrade should not pass pickled numpy object arrays which originated from an untrusted source, or that could have been tampered with. Only pass pickled numpy object arrays from trusted sources. |
Affected by 4 other vulnerabilities. |
|
VCID-zr1b-b765-1kh1
Aliases: CVE-2025-0508 GHSA-32g6-mg92-ghm2 |
A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||