Summary
AWS Neuron SDK has reintroduced a dependency confusion vulnerability three times in four years. The issue stems from using the --extra-index-url parameter in pip install commands, which allows potential installation of malicious packages from PyPI instead of AWS's private repository. Despite previous reports, AWS has not fully addressed the problem, leaving new packages vulnerable to exploitation.
Affected Services
Neuron SDK
Remediation
Use the --index-url parameter instead of --extra-index-url when installing Neuron SDK packages, or utilize a more secure package manager like Poetry. Always verify the source and security of installation instructions, even from reputable sources.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Fri, Apr 1st, 2022
Exploitablity Period
Until 2024/12/29
Known ITW Exploitation
-
Detection Methods
Check if Neuron SDK packages are being installed from the correct AWS repository. Verify package integrity and source before installation. Monitor for unexpected or unauthorized package installations in your development environment.
Piercing Index Rating
-
Discovered by
Giraffe Security
