sagemaker 2.251.2.dev0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the sagemaker package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Insertion of Sensitive Information Into Sent Data sagemaker is an Open source library for training and deploying models on Amazon SageMaker. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the storage of HMAC keys and disclosure through the `DescribeTrainingJob` API. An attacker can extract secret keys from environment variables to insert in malicious serialized payloads by leveraging API permissions. When combined with write access to output locations, this can result in arbitrary code execution, unauthorized access to sensitive data, and the compromise of adjacent services or data in shared environments. Note: In multi-tenant environments, with shared S3 buckets, a disclosed HMAC key could act as a pivot point to perform actions against other users' remote function workloads. How to fix Insertion of Sensitive Information Into Sent Data? Upgrade `sagemaker` to version 2.256.0, 3.2.0 or higher.	[,2.256.0)[3.0,3.2.0)
H Missing Validation of OpenSSL Certificate sagemaker is an Open source library for training and deploying models on Amazon SageMaker. Affected versions of this package are vulnerable to Missing Validation of OpenSSL Certificate via the global disabling of SSL certificate verification in the Triton Python backend. An attacker in a position to intercept HTTPS traffic can replace models or dependencies with malicious versions resulting in the execution of arbitrary code in Triton containers. How to fix Missing Validation of OpenSSL Certificate? Upgrade `sagemaker` to version 2.256.0, 3.1.1 or higher.	[,2.256.0)[3.0,3.1.1)

Vulnerability

Vulnerable Version

Insertion of Sensitive Information Into Sent Data

sagemaker is an Open source library for training and deploying models on Amazon SageMaker.

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the storage of HMAC keys and disclosure through the DescribeTrainingJob API. An attacker can extract secret keys from environment variables to insert in malicious serialized payloads by leveraging API permissions. When combined with write access to output locations, this can result in arbitrary code execution, unauthorized access to sensitive data, and the compromise of adjacent services or data in shared environments.

Note: In multi-tenant environments, with shared S3 buckets, a disclosed HMAC key could act as a pivot point to perform actions against other users' remote function workloads.

How to fix Insertion of Sensitive Information Into Sent Data?

Upgrade sagemaker to version 2.256.0, 3.2.0 or higher.

[,2.256.0)[3.0,3.2.0)

Missing Validation of OpenSSL Certificate

sagemaker is an Open source library for training and deploying models on Amazon SageMaker.

Affected versions of this package are vulnerable to Missing Validation of OpenSSL Certificate via the global disabling of SSL certificate verification in the Triton Python backend. An attacker in a position to intercept HTTPS traffic can replace models or dependencies with malicious versions resulting in the execution of arbitrary code in Triton containers.

How to fix Missing Validation of OpenSSL Certificate?

Upgrade sagemaker to version 2.256.0, 3.1.1 or higher.

[,2.256.0)[3.0,3.1.1)

sagemaker@2.251.2.dev0 vulnerabilities

Open source library for training and deploying models on Amazon SageMaker.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically