SCA: security update for sagemaker (GHSA-wjvx-jhpj-r54r)

high Tenable Cloud Security Plugin ID 419978

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker.
The sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe
deserialization when untrusted data is passed as pickled object arrays. This consequently may allow an
unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality
and integrity. Users are advised to upgrade to version 2.218.0. Users unable to upgrade should not pass
pickled numpy object arrays which originated from an untrusted source, or that could have been tampered
with. Only pass pickled numpy object arrays from trusted sources. (CVE-2024-34072)

See Also

https://github.com/advisories/GHSA-wjvx-jhpj-r54r

Plugin Details

Severity: High

ID: 419978

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.76

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-34072

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/3/2024

Vulnerability Publication Date: 5/3/2024

Reference Information

CVE: CVE-2024-34072

cwe: CWE-502