基础信息
项目名称:chdb-io/chdb
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1716632793848266752/1716632794737459200
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| GNU Libiberty 安全漏洞 | 输入验证不恰当 | MPS-2017-1331 | CVE-2016-6131 | 高危 |
| libiberty 数字错误漏洞 | 整数溢出或环绕 | MPS-2017-2066 | CVE-2016-2226 | 高危 |
| libiberty 安全漏洞 | UAF | MPS-2017-2070 | CVE-2016-4487 | 中危 |
| libiberty 安全漏洞 | UAF | MPS-2017-2071 | CVE-2016-4488 | 中危 |
| libiberty 数字错误漏洞 | 整数溢出或环绕 | MPS-2017-2072 | CVE-2016-4489 | 中危 |
| libiberty 数字错误漏洞 | 整数溢出或环绕 | MPS-2017-2073 | CVE-2016-4490 | 中危 |
| libiberty 安全漏洞 | 缓冲区溢出 | MPS-2017-2074 | CVE-2016-4491 | 中危 |
| libiberty 缓冲区错误漏洞 | 缓冲区溢出 | MPS-2017-2075 | CVE-2016-4492 | 中危 |
| libiberty 安全漏洞 | 越界读取 | MPS-2017-2076 | CVE-2016-4493 | 中危 |
| GNU Binutils 安全漏洞 | 不可达退出条件的循环(无限循环) | MPS-2018-14162 | CVE-2018-18700 | 中危 |
| GNU Binutils GNU libiberty 安全漏洞 | 拒绝服务 | MPS-2018-8266 | CVE-2018-12698 | 高危 |
| GNU Binutils 缓冲区错误漏洞 | 越界读取 | MPS-2019-1889 | CVE-2019-9070 | 高危 |
| GNU libiberty 缓冲区错误漏洞 | 缓冲区溢出 | MPS-2021-32366 | CVE-2021-3826 | 高危 |
| Google Golang 资源管理错误漏洞 | MPS-2022-58307 | CVE-2022-41723 | 高危 | |
| containerd 安全漏洞 | 不加限制或调节的资源分配 | MPS-2023-3769 | CVE-2023-25153 | 中危 |
| containerd容器内文件权限机制实现不当 | 将用户置入不正确的用户组 | MPS-2023-3789 | CVE-2023-25173 | 中危 |
| runc 安全漏洞 | 使用不正确的解析名称或索引 | MPS-2023-6887 | CVE-2023-27561 | 高危 |
| runc | 访问控制不当 | MPS-2023-8507 | CVE-2023-28642 | 高危 |
| Moby 安全漏洞 | 未能安全地进行程序失效(Failing Open) | MPS-2023-8823 | CVE-2023-28840 | 高危 |
| Moby 安全漏洞 | 未能安全地进行程序失效(Failing Open) | MPS-2023-8824 | CVE-2023-28841 | 中危 |
| Moby 安全漏洞 | 未能安全地进行程序失效(Failing Open) | MPS-2023-8826 | CVE-2023-28842 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| libiberty | 9.1.0 | 20220713-1 | 间接依赖 | 建议修复 |
| golang.org/x/net | v0.0.0-20220906165146-f3363e06e74c | 0.17.0 | 间接依赖 | 建议修复 |
| github.com/docker/docker | v23.0.0+incompatible | 23.0.3 | 间接依赖 | 建议修复 |
| github.com/opencontainers/runc | v1.1.3 | 1.1.5 | 间接依赖 | 建议修复 |
| github.com/containerd/containerd | v1.6.17 | 1.6.18 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| LGPL-2.1 | 1 | 中 |
| Apache-2.0 | 29 | 低 |
| MIT | 36 | 低 |
| 自定义许可证 | 1 | 低 |
| CC-BY-SA-4.0 | 1 | 中 |
| BSD-3-Clause | 20 | 低 |
| BSD-2-Clause | 3 | 低 |
| MPL-2.0 | 1 | 低 |
| CC0-1.0 | 1 | 低 |
| GPL-3.0 | 1 | 中 |
| BSD-2-Clause-Views | 1 | 低 |
| ISC | 1 | 低 |
| BSL-1.0 | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| pygithub | 1.43.5 | 间接依赖 | pip |
| libiberty | 9.1.0 | 间接依赖 | |
| github.com/distribution/distribution | v2.8.2+incompatible | 间接依赖 | go |
| github.com/docker/docker | v23.0.0+incompatible | 间接依赖 | go |
| ClickHouseInstance | 间接依赖 | pip | |
| github.com/pelletier/go-toml | v1.9.5 | 间接依赖 | go |
| github.com/moby/patternmatcher | v0.5.0 | 间接依赖 | go |
| github.com/mholt/archiver/v4 | v4.0.0-alpha.4 | 直接依赖 | go |
| github.com/mitchellh/go-homedir | v1.1.0 | 间接依赖 | go |
| gopkg.in/yaml.v3 | v3.0.1 | 直接依赖 | go |
| row_number | 间接依赖 | pip | |
| run | 间接依赖 | pip | |
| get_docker_compose_path | 间接依赖 | pip | |
| github.com/go-ole/go-ole | v1.2.4 | 间接依赖 | go |
| github.com/opencontainers/go-digest | v1.0.0 | 间接依赖 | go |
| github.com/ClickHouse/clickhouse-go/v2 | v2.0.12 | 直接依赖 | go |
| github.com/jaypipes/ghw | v0.8.0 | 直接依赖 | go |
| github.com/spf13/pflag | v1.0.5 | 直接依赖 | go |
| google.golang.org/genproto | v0.0.0-20220617124728-180714bec0ad | 间接依赖 | go |
| github.com/jaypipes/pcidb | v0.6.0 | 间接依赖 | go |
| KafkaProducer | 间接依赖 | pip | |
| github.com/inconshreveable/mousetrap | v1.0.0 | 间接依赖 | go |
| github.com/spf13/viper | v1.10.1 | 直接依赖 | go |
| github.com/nwaples/rardecode/v2 | v2.0.0-beta.2 | 间接依赖 | go |
| github.com/gogo/protobuf | v1.3.2 | 间接依赖 | go |
| flask | 间接依赖 | pip | |
| github.com/opencontainers/runc | v1.1.3 | 间接依赖 | go |
| query | 间接依赖 | pip | |
| github.com/golang/protobuf | v1.5.2 | 间接依赖 | go |
| Table | 间接依赖 | pip | |
| github.com/testcontainers/testcontainers-go | v0.18.0 | 直接依赖 | go |
| github.com/spf13/cobra | v1.3.0 | 直接依赖 | go |
| github.com/subosito/gotenv | v1.2.0 | 间接依赖 | go |
| github.com/klauspost/pgzip | v1.2.5 | 间接依赖 | go |
| github.com/dsnet/compress | v0.0.1 | 间接依赖 | go |
| github.com/spf13/cast | v1.4.1 | 间接依赖 | go |
| pandas_read_parquet | 间接依赖 | pip | |
| github.com/containerd/containerd | v1.6.17 | 间接依赖 | go |
| github.com/StackExchange/wmi | v0.0.0-20190523213315-cbe66965904d | 间接依赖 | go |
| google.golang.org/grpc | v1.47.0 | 间接依赖 | go |
| github.com/Masterminds/semver | v1.5.0 | 直接依赖 | go |
| github.com/stretchr/testify | v1.8.1 | 直接依赖 | go |
| github.com/DATA-DOG/go-sqlmock | v1.5.0 | 直接依赖 | go |
| go.opentelemetry.io/otel/trace | v1.4.1 | 间接依赖 | go |
| github.com/Microsoft/go-winio | v0.5.2 | 间接依赖 | go |
| github.com/ulikunitz/xz | v0.5.10 | 间接依赖 | go |
| github.com/pmezard/go-difflib | v1.0.0 | 间接依赖 | go |
| github.com/klauspost/compress | v1.13.6 | 间接依赖 | go |
| github.com/matishsiao/goInfo | v0.0.0-20210923090445-da2e3fa8d45f | 直接依赖 | go |
| github.com/google/shlex | v0.0.0-20191202100458-e7afc7fbc510 | 直接依赖 | go |
| github.com/docker/go-connections | v0.4.0 | 直接依赖 | go |
| github.com/morikuni/aec | v1.0.0 | 间接依赖 | go |
| minio | 间接依赖 | pip | |
| github.com/mattn/go-runewidth | v0.0.9 | 间接依赖 | go |
| github.com/Azure/go-ansiterm | v0.0.0-20210617225240-d185dfc1b5a1 | 间接依赖 | go |
| github.com/andybalholm/brotli | v1.0.4 | 间接依赖 | go |
| github.com/magiconair/properties | v1.8.7 | 间接依赖 | go |
| github.com/elastic/gosigar | v0.14.2 | 直接依赖 | go |
| flash | 间接依赖 | pip | |
| TSV | 间接依赖 | pip | |
| tabulate | 0.8.6 | 间接依赖 | pip |
| ClickHouseCluster | 间接依赖 | pip | |
| google.golang.org/protobuf | v1.28.0 | 间接依赖 | go |
| github.com/google/uuid | v1.3.0 | 间接依赖 | go |
| gopkg.in/yaml.v2 | v2.4.0 | 间接依赖 | go |
| github.com/kr/text | v0.2.0 | 间接依赖 | go |
| golang.org/x/sys | v0.5.0 | 间接依赖 | go |
| Extension | 间接依赖 | pip | |
| github.com/spf13/jwalterweatherman | v1.1.0 | 间接依赖 | go |
| github.com/sirupsen/logrus | v1.9.0 | 间接依赖 | go |
| github.com/shopspring/decimal | v1.3.1 | 间接依赖 | go |
| github.com/docker/go-units | v0.5.0 | 间接依赖 | go |
| github.com/hashicorp/hcl | v1.0.0 | 间接依赖 | go |
| github.com/bmatcuk/doublestar/v4 | v4.0.2 | 直接依赖 | go |
| github.com/therootcompany/xz | v1.0.1 | 间接依赖 | go |
| Flask | 间接依赖 | pip | |
| run_and_check | 间接依赖 | pip | |
| route | 间接依赖 | pip | |
| zero | 间接依赖 | pip | |
| github.com/golang/snappy | v0.0.4 | 间接依赖 | go |
| github.com/cenkalti/backoff/v4 | v4.2.0 | 间接依赖 | go |
| termcolor | 1.1.0 | 间接依赖 | pip |
| go.opentelemetry.io/otel | v1.4.1 | 间接依赖 | go |
| github.com/moby/sys/sequential | v0.5.0 | 间接依赖 | go |
| howett.net/plist | v0.0.0-20181124034731-591f970eefbb | 间接依赖 | go |
| github.com/rs/zerolog | v1.26.1 | 直接依赖 | go |
| monotonically_increasing_id | 间接依赖 | pip | |
| github.com/olekukonko/tablewriter | v0.0.5 | 直接依赖 | go |
| gopkg.in/ini.v1 | v1.66.2 | 间接依赖 | go |
| github.com/moby/term | v0.0.0-20221128092401-c43b287e0e0f | 间接依赖 | go |
| github.com/mitchellh/mapstructure | v1.4.3 | 间接依赖 | go |
| github.com/pierrec/lz4/v4 | v4.1.14 | 间接依赖 | go |
| golang.org/x/net | v0.0.0-20220906165146-f3363e06e74c | 间接依赖 | go |
| assert_eq_with_retry | 间接依赖 | pip | |
| github.com/pkg/errors | v0.9.1 | 直接依赖 | go |
| golang.org/x/text | v0.7.0 | 间接依赖 | go |
| github.com/davecgh/go-spew | v1.1.1 | 间接依赖 | go |
| github.com/ghodss/yaml | v1.0.0 | 间接依赖 | go |
| poco | 间接依赖 | ||
| github.com/docker/distribution | v2.8.1+incompatible | 间接依赖 | go |
| github.com/spf13/afero | v1.8.0 | 间接依赖 | go |
| github.com/paulmach/orb | v0.4.0 | 间接依赖 | go |
| setup | 间接依赖 | pip | |
| KafkaAdminClient | 间接依赖 | pip | |
| github.com/yargevad/filepathx | v1.0.0 | 直接依赖 | go |
| github.com/opencontainers/image-spec | v1.1.0-rc2 | 间接依赖 | go |
| github.com/fsnotify/fsnotify | v1.5.4 | 间接依赖 | go |
| g_udf_path | 间接依赖 | pip |