MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.ZipFile.extractall()` without path validation, while other similar download functions in the same codebase properly use the existing `safe_extract_member()` function. Commit 4014c8475626f20f158921ae0cf98ed259ae4d59 fixes this issue.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

对路径名的限制不恰当(路径遍历)

MONAI 路径遍历漏洞

MONAI是Project MONAI开源的一个医疗成像AI工具包。 MONAI 1.5.1及之前版本存在路径遍历漏洞，该漏洞源于_download_from_ngc_private函数使用zipfile.ZipFile.extractall时未进行路径验证，可能导致路径遍历攻击。

N/A

N/A