monai 1.4.0rc3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the monai package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Zip Slip monai is an AI Toolkit for Healthcare Imaging Affected versions of this package are vulnerable to Zip Slip via the use of `zip_file.extractall(output_dir)`. An attacker can overwrite arbitrary files on the system by supplying a crafted zip archive containing files with path traversal sequences. This can be exploited remotely if a user loads and extracts a malicious zip file from an untrusted or compromised source. How to fix Zip Slip? Upgrade `monai` to version 1.5.1 or higher.	[,1.5.1)
H Deserialization of Untrusted Data monai is an AI Toolkit for Healthcare Imaging Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `load` function in the `bundle/scripts.py` file, which uses `torch.load` with `weights_only=True` parameter. An attacker can execute arbitrary commands by providing a malicious checkpoint file that is deserialized during model loading. How to fix Deserialization of Untrusted Data? Upgrade `monai` to version 1.5.1 or higher.	[,1.5.1)
H Deserialization of Untrusted Data monai is an AI Toolkit for Healthcare Imaging Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `pickle_operations` function, which use `pickle.loads()`. An attacker can execute arbitrary code by supplying crafted serialized data that is deserialized without validation. How to fix Deserialization of Untrusted Data? Upgrade `monai` to version 1.5.1 or higher.	[,1.5.1)

Vulnerability

Vulnerable Version

Zip Slip

monai is an AI Toolkit for Healthcare Imaging

Affected versions of this package are vulnerable to Zip Slip via the use of zip_file.extractall(output_dir). An attacker can overwrite arbitrary files on the system by supplying a crafted zip archive containing files with path traversal sequences. This can be exploited remotely if a user loads and extracts a malicious zip file from an untrusted or compromised source.

How to fix Zip Slip?

Upgrade monai to version 1.5.1 or higher.

[,1.5.1)

Deserialization of Untrusted Data

monai is an AI Toolkit for Healthcare Imaging

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the load function in the bundle/scripts.py file, which uses torch.load with weights_only=True parameter. An attacker can execute arbitrary commands by providing a malicious checkpoint file that is deserialized during model loading.

How to fix Deserialization of Untrusted Data?

Upgrade monai to version 1.5.1 or higher.

[,1.5.1)

Deserialization of Untrusted Data

monai is an AI Toolkit for Healthcare Imaging

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the pickle_operations function, which use pickle.loads(). An attacker can execute arbitrary code by supplying crafted serialized data that is deserialized without validation.

How to fix Deserialization of Untrusted Data?

Upgrade monai to version 1.5.1 or higher.

[,1.5.1)

monai@1.4.0rc3 vulnerabilities

AI Toolkit for Healthcare Imaging

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically