22 matches found
CVE-2026-8596 Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path
Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for special...
PT-2026-41118
Name of the Vulnerable Software and Affected Versions Amazon SageMaker Python SDK versions prior to 2.257.2 Amazon SageMaker Python SDK versions prior to 3.8.0 Description Missing integrity verification in the Triton inference handler allows a remote authenticated actor with S3 write access to th...
CVE-2026-1778
Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed...
GHSA-RJRP-M2JW-PV9C SageMaker Python SDK has Exposed HMAC
Summary SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified. Impact - Function and Payload...
SageMaker Python SDK has Insecure TLS Configuration
Summary SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found. Impact Arbitrary Code Execution: Disabling SSL verification...
GHSA-62RC-F4V9-H543 SageMaker Python SDK has Insecure TLS Configuration
Summary SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found. Impact Arbitrary Code Execution: Disabling SSL verification...
CVE-2026-1778 TLS disabled by default in select aws/sagemaker-python-sdk configurations
Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed...
CVE-2026-1778 TLS disabled by default in select aws/sagemaker-python-sdk configurations
Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed...
CVE-2026-1777 Cleartext transmission of sensitive materials in aws/sagemaker-python-sdk
The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output...
PT-2026-5708
Name of the Vulnerable Software and Affected Versions Amazon SageMaker Python SDK versions prior to 3.2.0 Amazon SageMaker Python SDK versions prior to 2.256.0 Description The Amazon SageMaker Python SDK contains the ModelBuilder HMAC signing key in cleartext within the response elements of the...
EUVD-2024-1498
Malicious code in bioql PyPI...
CVE-2024-34072
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.basedeserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently ma...
CVE-2024-34073
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. In affected versions the capturedependencies function in sagemaker.serve.saveretrive.version100.save.utils module allows for potentially unsafe Operating System OS Command Injection if...
CVE-2024-34072
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.basedeserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently ma...
CVE-2024-34072 Deserialization of Untrusted Data in sagemaker-python-sdk
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.basedeserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently ma...
CVE-2024-34072 Deserialization of Untrusted Data in sagemaker-python-sdk
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.basedeserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently ma...
CVE-2024-34072
Summary (CVE-2024-34072) : The sagemaker-python-sdk’s sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 is vulnerable to unsafe deserialization of untrusted pickled numpy object arrays. This can enable a local attacker to achieve remote code execution, denial of service, and i...
CVE-2024-34072 Deserialization of Untrusted Data in sagemaker-python-sdk
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.basedeserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently ma...
CVE-2024-34073
The CVE concerns the sagemaker-python-sdk, where the capture_dependencies function in sagemaker.serve.save_retrive.version_1_0_0.save.utils allows potentially unsafe OS command injection if a malicious requirements_path is passed. This could enable remote code execution, denial of service, and co...
CVE-2024-34073 Command Injection in sagemaker-python-sdk
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. In affected versions the capturedependencies function in sagemaker.serve.saveretrive.version100.save.utils module allows for potentially unsafe Operating System OS Command Injection if...