基础信息
项目名称:cloud-custodian/cloud-custodian
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1716731056308748288/1716731056354885632
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Supervisor XML-RPC服务器安全漏洞 | 缺省权限不正确 | MPS-2017-9448 | CVE-2017-11610 | 高危 |
| Python 信任管理问题漏洞 | 凭证保护不足 | MPS-2018-13292 | CVE-2018-18074 | 高危 |
| urllib3 信任管理问题漏洞 | 凭证保护不足 | MPS-2018-15714 | CVE-2018-20060 | 严重 |
| urllib3 注入漏洞 | CRLF注入 | MPS-2019-4007 | CVE-2019-11236 | 中危 |
| urllib3 信任管理问题漏洞 | 证书验证不恰当 | MPS-2019-4157 | CVE-2019-11324 | 高危 |
| urllib3 注入漏洞 | 注入 | MPS-2020-13780 | CVE-2020-26137 | 中危 |
| Python 资源管理错误漏洞 | 数值计算不正确 | MPS-2020-15181 | CVE-2020-14422 | 中危 |
| Python-RSA 加密问题漏洞 | 隐蔽时间通道 | MPS-2020-16939 | CVE-2020-25658 | 中危 |
| Bottle 环境问题漏洞 | HTTP请求走私 | MPS-2021-0650 | CVE-2020-28473 | 中危 |
| Python 输入验证错误漏洞 | MPS-2021-6340 | CVE-2021-29921 | 严重 | |
| urllib3 资源管理错误漏洞 | 拒绝服务 | MPS-2021-9054 | CVE-2021-33503 | 高危 |
| awscli 存在路径遍历漏洞 | 路径遍历 | MPS-2022-14752 | 中危 | |
| boto3 存在信息暴露漏洞 | 未授权敏感信息泄露 | MPS-2022-14769 | 低危 | |
| ipaddress 存在密码算法不安全漏洞 | 密码算法不安全 | MPS-2022-14951 | 中危 | |
| Bottle 安全特征问题漏洞 | 对异常条件的处理不恰当 | MPS-2022-16709 | CVE-2022-31799 | 严重 |
| Certifi 存在数据真实性验证不充分漏洞 | 对数据真实性的验证不充分 | MPS-2022-1918 | CVE-2022-23491 | 中危 |
| redis-py 存在信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2023-8854 | CVE-2023-28858 | 中危 |
| redis-py 存在信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2023-8855 | CVE-2023-28859 | 中危 |
| urllib3 安全漏洞 | 未授权敏感信息泄露 | MPS-46py-nxai | CVE-2023-45803 | 中危 |
| Certifi 数据伪造问题漏洞 | 对数据真实性的验证不充分 | MPS-ck78-r6zg | CVE-2023-37920 | 严重 |
| Requests Proxy-Authorization 标头泄露漏洞 | 未授权敏感信息泄露 | MPS-hr61-tzey | CVE-2023-32681 | 中危 |
| urllib3 安全漏洞 | 跨站重定向 | MPS-pe32-76d4 | CVE-2018-25091 | 中危 |
| urllib3 HTTP重定向信息泄露漏洞 | 未授权敏感信息泄露 | MPS-s0oy-afbw | CVE-2023-43804 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| ipaddress | 1.0.17 | 间接依赖 | 建议修复 | |
| requests | 2.18.4 | 2.31.0 | 间接依赖 | 建议修复 |
| ipaddress | 1.0.18 | 间接依赖 | 建议修复 | |
| urllib3 | 1.22 | 2.0.6 | 间接依赖 | 建议修复 |
| requests | 2.12.5 | 2.31.0 | 间接依赖 | 建议修复 |
| supervisor | 3.3.2 | 3.3.3 | 间接依赖 | 建议修复 |
| certifi | 2018.1.18 | 2023.7.22 | 间接依赖 | 建议修复 |
| bottle | 0.12.13 | 0.12.20 | 间接依赖 | 建议修复 |
| ipaddress | 1.0.19 | 间接依赖 | 建议修复 | |
| rsa | 4.6 | 4.7 | 间接依赖 | 可选修复 |
| boto3 | 1.4.4 | 1.4.5 | 间接依赖 | 可选修复 |
| redis | 2.10.5 | 4.5.3 | 间接依赖 | 可选修复 |
| awscli | 1.11.39 | 1.11.83 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| BSD-3-Clause | 23 | 低 |
| Apache-2.0 | 34 | 低 |
| MIT | 37 | 低 |
| MPL-2.0 | 5 | 低 |
| 自定义许可证 | 21 | 低 |
| BSD-2-Clause | 5 | 低 |
| WTFPL | 1 | 低 |
| MIT-0 | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| golang.org/x/text | v0.13.0 | 间接依赖 | go |
| botocore | 1.12.94 | 间接依赖 | pip |
| github.com/mailru/easyjson | v0.0.0-20180823135443-60711f1a8329 | 间接依赖 | go |
| github.com/hashicorp/go-multierror | v1.0.0 | 直接依赖 | go |
| github.com/jmespath/go-jmespath | v0.3.0 | 间接依赖 | go |
| golang.org/x/time | v0.0.0-20210723032227-1f47c861a9ac | 间接依赖 | go |
| rq-dashboard | 0.3.7 | 间接依赖 | pip |
| github.com/mattn/go-isatty | v0.0.17 | 直接依赖 | go |
| github.com/moby/term | v0.0.0-20221205130635-1aeaba878587 | 间接依赖 | go |
| colorama | 0.3.7 | 间接依赖 | pip |
| redis | 2.10.5 | 间接依赖 | pip |
| docutils | 0.12 | 间接依赖 | pip |
| gopkg.in/yaml.v2 | v2.2.8 | 直接依赖 | go |
| github.com/DATA-DOG/go-sqlmock | v1.3.0 | 间接依赖 | go |
| Jinja2 | 2.11.3 | 间接依赖 | pip |
| docutils | 0.13.1 | 间接依赖 | pip |
| docutils | 0.14 | 间接依赖 | pip |
| jmespath | 0.9.3 | 间接依赖 | pip |
| github.com/docker/docker | v23.0.3+incompatible | 直接依赖 | go |
| click | 7.0 | 间接依赖 | pip |
| functools32 | 3.2.3.post2 | 间接依赖 | pip |
| github.com/sha1sum/aws_signing_client | v0.0.0-20170514202702-9088e4c7b34b | 直接依赖 | go |
| PyYAML | 4.2b4 | 间接依赖 | pip |
| c7n | 0.8.22.0 | 间接依赖 | pip |
| github.com/hashicorp/hcl | v1.0.0 | 间接依赖 | go |
| boto3 | 1.4.4 | 间接依赖 | pip |
| chardet | 3.0.4 | 间接依赖 | pip |
| jsonschema | 2.5.1 | 间接依赖 | pip |
| ipaddress | 1.0.18 | 间接依赖 | pip |
| github.com/mitchellh/mapstructure | v1.0.0 | 间接依赖 | go |
| github.com/shirou/w32 | v0.0.0-20160930032740-bb4de0191aa4 | 间接依赖 | go |
| six | 1.13.0 | 间接依赖 | pip |
| golang.org/x/sys | v0.13.0 | 直接依赖 | go |
| github.com/magiconair/properties | v1.8.0 | 间接依赖 | go |
| github.com/shirou/gopsutil | v2.17.12+incompatible | 直接依赖 | go |
| DEBUG | 间接依赖 | pip | |
| requests | 2.18.4 | 间接依赖 | pip |
| itsdangerous | 1.1.0 | 间接依赖 | pip |
| rsa | 4.6 | 间接依赖 | pip |
| github.com/golang/time | v0.0.0-20180412165947-fbb02b2291d2 | 直接依赖 | go |
| Werkzeug | 0.14.1 | 间接依赖 | pip |
| blob_outputs | 间接依赖 | pip | |
| abstractmethod | 间接依赖 | pip | |
| python-dateutil | 2.6.1 | 间接依赖 | pip |
| github.com/pelletier/go-toml | v1.2.0 | 间接依赖 | go |
| jsonschema | 2.6.0 | 间接依赖 | pip |
| call | 间接依赖 | pip | |
| ABCMeta | 间接依赖 | pip | |
| gopkg.in/check.v1 | v1.0.0-20180628173108-788fd7840127 | 间接依赖 | go |
| pytz | 2018.3 | 间接依赖 | pip |
| github.com/spf13/viper | v1.1.0 | 直接依赖 | go |
| gcp_common | 间接依赖 | pip | |
| SQLAlchemy | 1.2.4 | 间接依赖 | pip |
| github.com/pkg/errors | v0.9.1 | 直接依赖 | go |
| tabulate | 0.7.7 | 间接依赖 | pip |
| ipaddress | 1.0.19 | 间接依赖 | pip |
| github.com/fortytw2/leaktest | v1.2.0 | 间接依赖 | go |
| six | 1.10.0 | 间接依赖 | pip |
| github.com/docker/go-units | v0.5.0 | 间接依赖 | go |
| github.com/kr/pretty | v0.1.0 | 间接依赖 | go |
| github.com/Azure/go-ansiterm | v0.0.0-20230124172434-306776ec8161 | 间接依赖 | go |
| github.com/google/go-cmp | v0.2.0 | 直接依赖 | go |
| c7n | 间接依赖 | pip | |
| github.com/docker/distribution | v2.8.2+incompatible | 间接依赖 | go |
| format_string_values | 间接依赖 | pip | |
| github.com/spf13/jwalterweatherman | v0.0.0-20180814060501-14d3d4c51834 | 间接依赖 | go |
| s3transfer | 0.1.9 | 间接依赖 | pip |
| supervisor | 3.3.2 | 间接依赖 | pip |
| c7n_azure | 间接依赖 | pip | |
| futures | 3.2.0 | 间接依赖 | pip |
| msgpack-python | 0.4.8 | 间接依赖 | pip |
| python-dateutil | 2.5.3 | 间接依赖 | pip |
| github.com/cihub/seelog | v0.0.0-20170130134532-f561c5e57575 | 间接依赖 | go |
| influxdb | 5.0.0 | 间接依赖 | pip |
| gotest.tools/v3 | v3.0.3 | 间接依赖 | go |
| lz4 | 2.2.1 | 间接依赖 | pip |
| requests | 2.12.5 | 间接依赖 | pip |
| procname | 0.3 | 间接依赖 | pip |
| oci | 2.97.0 | 间接依赖 | pip |
| github.com/Microsoft/go-winio | v0.6.0 | 间接依赖 | go |
| MarkupSafe | 1.1.1 | 间接依赖 | pip |
| setuptools-scm | 3.3.3 | 间接依赖 | pip |
| LogRecord | 间接依赖 | pip | |
| github.com/BurntSushi/toml | v0.3.0 | 间接依赖 | go |
| github.com/olivere/elastic | v6.1.25+incompatible | 直接依赖 | go |
| github.com/aws/aws-sdk-go | v1.34.0 | 直接依赖 | go |
| golang.org/x/net | v0.17.0 | 间接依赖 | go |
| golang.org/x/sync | v0.1.0 | 直接依赖 | go |
| awscli | 1.11.39 | 间接依赖 | pip |
| github.com/spf13/cobra | v0.0.3 | 直接依赖 | go |
| six | 1.11.0 | 间接依赖 | pip |
| Flask | 1.0.2 | 间接依赖 | pip |
| c7n | 0.8.28.0 | 间接依赖 | pip |
| github.com/hashicorp/errwrap | v1.0.0 | 间接依赖 | go |
| argcomplete | 1.9.4 | 间接依赖 | pip |
| parse_date | 间接依赖 | pip | |
| futures | 3.3.0 | 间接依赖 | pip |
| botocore | 1.5.2 | 间接依赖 | pip |
| wsgiref | 0.1.2 | 间接依赖 | pip |
| github.com/inconshreveable/mousetrap | v1.0.0 | 间接依赖 | go |
| click | 6.7 | 间接依赖 | pip |
| argparse | 1.2.1 | 间接依赖 | pip |
| github.com/gogo/protobuf | v1.3.2 | 间接依赖 | go |
| jmespath | 0.9.0 | 间接依赖 | pip |
| github.com/docker/go-connections | v0.4.0 | 间接依赖 | go |
| certifi | 2018.1.18 | 间接依赖 | pip |
| jinja2 | 2.11.3 | 间接依赖 | pip |
| arrow | 0.8.0 | 间接依赖 | pip |
| github.com/aws/amazon-ssm-agent | v0.0.0-20181107231829-b9654b268afc | 直接依赖 | go |
| github.com/aws/aws-lambda-go | v1.6.0 | 直接依赖 | go |
| pkg-resources | 0.0.0 | 间接依赖 | pip |
| s3transfer | 0.1.13 | 间接依赖 | pip |
| github.com/rs/zerolog | v1.8.0 | 直接依赖 | go |
| github.com/kr/text | v0.2.0 | 间接依赖 | go |
| BlobOutput | 间接依赖 | pip | |
| github.com/morikuni/aec | v1.0.0 | 间接依赖 | go |
| termcolor | 1.1.0 | 间接依赖 | pip |
| bottle | 0.12.13 | 间接依赖 | pip |
| github.com/spf13/pflag | v1.0.2 | 直接依赖 | go |
| rq | 0.6.0 | 间接依赖 | pip |
| github.com/spf13/afero | v1.1.1 | 间接依赖 | go |
| ipaddress | 1.0.17 | 间接依赖 | pip |
| github.com/StackExchange/wmi | v0.0.0-20180725035823-b12b22c5341f | 间接依赖 | go |
| github.com/aws/aws-xray-sdk-go | v1.0.0-rc.5 | 直接依赖 | go |
| gopkg.in/check.v1 | v1.0.0-20201130134442-10cb98267c6c | 间接依赖 | go |
| github.com/google/go-cmp | v0.5.6 | 间接依赖 | go |
| boto3 | 1.9.94 | 间接依赖 | pip |
| github.com/spf13/cast | v1.2.0 | 间接依赖 | go |
| github.com/fsnotify/fsnotify | v1.4.7 | 间接依赖 | go |
| pyasn1 | 0.4.2 | 间接依赖 | pip |
| MagicMock | 间接依赖 | pip | |
| tabulate | 0.8.2 | 间接依赖 | pip |
| github.com/hashicorp/go-version | v1.0.0 | 直接依赖 | go |
| github.com/thoas/go-funk | v0.9.3 | 直接依赖 | go |
| awslogs | 0.8.0 | 间接依赖 | pip |
| github.com/go-ole/go-ole | v1.2.1 | 间接依赖 | go |
| github.com/opencontainers/image-spec | v1.1.0-rc2 | 间接依赖 | go |
| urllib3 | 1.22 | 间接依赖 | pip |
| s3transfer | 0.1.10 | 间接依赖 | pip |
| pyyaml | 4.2b4 | 间接依赖 | pip |
| c7n-org | 0.2.2 | 间接依赖 | pip |
| idna | 2.6 | 间接依赖 | pip |