{"url":"http://public2.vulnerablecode.io/api/packages/736596?format=json","purl":"pkg:pypi/sagemaker@1.15.1","type":"pypi","namespace":"","name":"sagemaker","version":"1.15.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.257.2","latest_non_vulnerable_version":"3.8.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49935?format=json","vulnerability_id":"VCID-9q6x-5ac2-m3gj","summary":"SageMaker Python SDK has Exposed HMAC\nSageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1777","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06396","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06461","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06452","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06442","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06404","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1777"},{"reference_url":"https://aws.amazon.com/security/security-bulletins/2026-004-AWS","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://aws.amazon.com/security/security-bulletins/2026-004-AWS"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/commit/708c7b2f4135ecaec55973d098f3dbe98b657933","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk/commit/708c7b2f4135ecaec55973d098f3dbe98b657933"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/commit/fb0d789db4fd5fecde5509963939369f4c7ce63b","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk/commit/fb0d789db4fd5fecde5509963939369f4c7ce63b"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-03T15:00:05Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.2.0","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-03T15:00:05Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.2.0"},{"reference_url":"https://aws.amazon.com/security/security-bulletins/2026-004-AWS/","reference_id":"2026-004-AWS","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-03T15:00:05Z/"}],"url":"https://aws.amazon.com/security/security-bulletins/2026-004-AWS/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1777","reference_id":"CVE-2026-1777","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1777"},{"reference_url":"https://github.com/advisories/GHSA-rjrp-m2jw-pv9c","reference_id":"GHSA-rjrp-m2jw-pv9c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rjrp-m2jw-pv9c"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-rjrp-m2jw-pv9c","reference_id":"GHSA-rjrp-m2jw-pv9c","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-03T15:00:05Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-rjrp-m2jw-pv9c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73788?format=json","purl":"pkg:pypi/sagemaker@2.256.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pvdy-d4xb-5ygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sagemaker@2.256.0"},{"url":"http://public2.vulnerablecode.io/api/packages/73787?format=json","purl":"pkg:pypi/sagemaker@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pvdy-d4xb-5ygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sagemaker@3.2.0"}],"aliases":["CVE-2026-1777","GHSA-rjrp-m2jw-pv9c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9q6x-5ac2-m3gj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56918?format=json","vulnerability_id":"VCID-acwy-v1m2-n7ey","summary":"SageMaker Workflow component allows possibility of MD5 hash collisions\nA vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-0508","reference_id":"","reference_type":"","scores":[{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33514","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33537","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33548","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33583","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33568","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-0508"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/commit/dcdd99f911e8b1a05d19cf1ad939b0fefae47864","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T14:26:53Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/commit/dcdd99f911e8b1a05d19cf1ad939b0fefae47864"},{"reference_url":"https://huntr.com/bounties/eb056818-5b81-466f-81ee-916058d34af2","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T14:26:53Z/"}],"url":"https://huntr.com/bounties/eb056818-5b81-466f-81ee-916058d34af2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0508","reference_id":"CVE-2025-0508","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0508"},{"reference_url":"https://github.com/advisories/GHSA-32g6-mg92-ghm2","reference_id":"GHSA-32g6-mg92-ghm2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-32g6-mg92-ghm2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84521?format=json","purl":"pkg:pypi/sagemaker@2.237.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9q6x-5ac2-m3gj"},{"vulnerability":"VCID-era1-qx3r-yybw"},{"vulnerability":"VCID-pvdy-d4xb-5ygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sagemaker@2.237.3"}],"aliases":["CVE-2025-0508","GHSA-32g6-mg92-ghm2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-acwy-v1m2-n7ey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49945?format=json","vulnerability_id":"VCID-era1-qx3r-yybw","summary":"SageMaker Python SDK has Insecure TLS Configuration\nSageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1778","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01224","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01228","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01225","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1778"},{"reference_url":"https://aws.amazon.com/security/security-bulletins/2026-004-AWS","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://aws.amazon.com/security/security-bulletins/2026-004-AWS"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/commit/5e7a3efa7bec0a161194ffa0cef346dda93bf2c6","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk/commit/5e7a3efa7bec0a161194ffa0cef346dda93bf2c6"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/commit/c8098958910f7db78d07037425debfd4d44a6964","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk/commit/c8098958910f7db78d07037425debfd4d44a6964"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:02:05Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:02:05Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1"},{"reference_url":"https://aws.amazon.com/security/security-bulletins/2026-004-AWS/","reference_id":"2026-004-AWS","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:02:05Z/"}],"url":"https://aws.amazon.com/security/security-bulletins/2026-004-AWS/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1778","reference_id":"CVE-2026-1778","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1778"},{"reference_url":"https://github.com/advisories/GHSA-62rc-f4v9-h543","reference_id":"GHSA-62rc-f4v9-h543","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-62rc-f4v9-h543"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543","reference_id":"GHSA-62rc-f4v9-h543","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:02:05Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73788?format=json","purl":"pkg:pypi/sagemaker@2.256.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pvdy-d4xb-5ygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sagemaker@2.256.0"},{"url":"http://public2.vulnerablecode.io/api/packages/73794?format=json","purl":"pkg:pypi/sagemaker@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9q6x-5ac2-m3gj"},{"vulnerability":"VCID-pvdy-d4xb-5ygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sagemaker@3.1.1"}],"aliases":["CVE-2026-1778","GHSA-62rc-f4v9-h543"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-era1-qx3r-yybw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54738?format=json","vulnerability_id":"VCID-g48w-e619-abgd","summary":"sagemaker-python-sdk Command Injection vulnerability\nThe capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module before version 2.214.3 allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the “requirements_path” parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity.\n\nImpacted versions: <2.214.3","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34073","reference_id":"","reference_type":"","scores":[{"value":"0.00889","scoring_system":"epss","scoring_elements":"0.75924","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00889","scoring_system":"epss","scoring_elements":"0.75899","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00889","scoring_system":"epss","scoring_elements":"0.75912","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00889","scoring_system":"epss","scoring_elements":"0.7592","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00889","scoring_system":"epss","scoring_elements":"0.75921","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34073"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/commit/2d873d53f708ea570fc2e2a6974f8c3097fe9df5","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-03T14:52:50Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/commit/2d873d53f708ea570fc2e2a6974f8c3097fe9df5"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/pull/4556","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-03T14:52:50Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/pull/4556"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34073","reference_id":"CVE-2024-34073","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34073"},{"reference_url":"https://github.com/advisories/GHSA-7pc3-pr3q-58vg","reference_id":"GHSA-7pc3-pr3q-58vg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7pc3-pr3q-58vg"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-7pc3-pr3q-58vg","reference_id":"GHSA-7pc3-pr3q-58vg","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-03T14:52:50Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-7pc3-pr3q-58vg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81188?format=json","purl":"pkg:pypi/sagemaker@2.214.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9q6x-5ac2-m3gj"},{"vulnerability":"VCID-acwy-v1m2-n7ey"},{"vulnerability":"VCID-era1-qx3r-yybw"},{"vulnerability":"VCID-pvdy-d4xb-5ygq"},{"vulnerability":"VCID-qmyp-wk2g-rbch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sagemaker@2.214.3"}],"aliases":["CVE-2024-34073","GHSA-7pc3-pr3q-58vg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g48w-e619-abgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50700?format=json","vulnerability_id":"VCID-pvdy-d4xb-5ygq","summary":"SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality\nThis advisory addresses the use of the search_hub() function within the SageMaker Python SDK's JumpStart search functionality. An actor with the ability to control query parameters passed to the search_hub() function could potentially provide malformed input that causes the eval() function to execute arbitrary commands, access sensitive data, or compromise the execution environment.\n\nA defense-in-depth enhancement has been implemented to replace code evaluation with safe string operations when processing search query parameters. This enhancement removes the use of eval() from the execution path, replacing it with a safe recursive descent parser. The change was released in SageMaker Python SDK version 3.4.0 on January 23, 2026. This advisory is informational to help customers understand their responsibilities regarding input validation and configuration security under the [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/).","references":[{"reference_url":"https://github.com/aws/sagemaker-python-sdk","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/commit/e706e578519bd9b92ea44b9b15f872eca5e77ea4","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk/commit/e706e578519bd9b92ea44b9b15f872eca5e77ea4"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/pull/5497","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk/pull/5497"},{"reference_url":"https://github.com/advisories/GHSA-5r2p-pjr8-7fh7","reference_id":"GHSA-5r2p-pjr8-7fh7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5r2p-pjr8-7fh7"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-5r2p-pjr8-7fh7","reference_id":"GHSA-5r2p-pjr8-7fh7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-5r2p-pjr8-7fh7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74471?format=json","purl":"pkg:pypi/sagemaker@3.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sagemaker@3.4.0"}],"aliases":["GHSA-5r2p-pjr8-7fh7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pvdy-d4xb-5ygq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54734?format=json","vulnerability_id":"VCID-qmyp-wk2g-rbch","summary":"sagemaker-python-sdk vulnerable to Deserialization of Untrusted Data\nsagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity.\n\nImpacted versions: <2.218.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34072","reference_id":"","reference_type":"","scores":[{"value":"0.00593","scoring_system":"epss","scoring_elements":"0.69672","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00593","scoring_system":"epss","scoring_elements":"0.69683","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00593","scoring_system":"epss","scoring_elements":"0.69662","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00593","scoring_system":"epss","scoring_elements":"0.69682","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00593","scoring_system":"epss","scoring_elements":"0.69675","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34072"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/commit/72e0c9712aec6fbb82fb40fda091dfc2a42c70a0","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aws/sagemaker-python-sdk/commit/72e0c9712aec6fbb82fb40fda091dfc2a42c70a0"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/pull/4557","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-03T17:28:15Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/pull/4557"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34072","reference_id":"CVE-2024-34072","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34072"},{"reference_url":"https://github.com/advisories/GHSA-wjvx-jhpj-r54r","reference_id":"GHSA-wjvx-jhpj-r54r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wjvx-jhpj-r54r"},{"reference_url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-wjvx-jhpj-r54r","reference_id":"GHSA-wjvx-jhpj-r54r","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-03T17:28:15Z/"}],"url":"https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-wjvx-jhpj-r54r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81175?format=json","purl":"pkg:pypi/sagemaker@2.218.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9q6x-5ac2-m3gj"},{"vulnerability":"VCID-acwy-v1m2-n7ey"},{"vulnerability":"VCID-era1-qx3r-yybw"},{"vulnerability":"VCID-pvdy-d4xb-5ygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sagemaker@2.218.0"}],"aliases":["CVE-2024-34072","GHSA-wjvx-jhpj-r54r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qmyp-wk2g-rbch"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sagemaker@1.15.1"}