基础信息
项目名称:codemix/fast.js
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1716776477021487104/1716776477378002944
此报告由Murphysec提供
漏洞列表
漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
---|---|---|---|---|
Joyent Node.js uglify-js 安全特征问题漏洞 | 7PK – 安全功能 | MPS-2017-0614 | CVE-2015-8857 | 严重 |
Joyent Node.js uglify-js 资源管理错误漏洞 | 资源管理错误 | MPS-2017-0615 | CVE-2015-8858 | 高危 |
Joyent Node.js handlebar 跨站脚本漏洞 | XSS | MPS-2017-0618 | CVE-2015-8861 | 中危 |
node-cli 安全漏洞 | 竞争条件 | MPS-2018-6723 | CVE-2016-10538 | 低危 |
Minimatch 拒绝服务漏洞 | 拒绝服务 | MPS-2018-6725 | CVE-2016-10540 | 高危 |
Thshell-quote 安全漏洞 | 代码注入 | MPS-2018-6726 | CVE-2016-10541 | 严重 |
Growl 安全漏洞 | OS命令注入 | MPS-2018-7026 | CVE-2017-16042 | 严重 |
handlebars 原型污染漏洞 | 原型污染 | MPS-2019-16888 | CVE-2019-19919 | 严重 |
npm bl 内存泄露漏洞 | 越界读取 | MPS-2020-12199 | CVE-2020-8244 | 中危 |
handlebars 代码注入漏洞 | 代码注入 | MPS-2020-13732 | CVE-2019-20920 | 高危 |
Ini | 拒绝服务 | MPS-2020-17544 | CVE-2020-7788 | 高危 |
minimist 原型污染漏洞 | 原型污染 | MPS-2020-3516 | CVE-2020-7598 | 中危 |
chownr package竞争条件问题漏洞 | 检查时间与使用时间(TOCTOU)的竞争条件 | MPS-2020-8858 | CVE-2017-18869 | 低危 |
shell-quote 远程代码执行漏洞 | 命令注入 | MPS-2021-34136 | CVE-2021-42740 | 严重 |
minimist 安全漏洞 | 原型污染 | MPS-2021-38405 | CVE-2021-44906 | 严重 |
handlebars 远程代码执行 (RCE) 漏洞 | 代码注入 | MPS-2021-4548 | CVE-2021-23369 | 严重 |
handlebars | 原型污染 | MPS-2021-6180 | CVE-2021-23383 | 严重 |
shelljs | 权限管理不当 | MPS-2022-0508 | CVE-2022-0144 | 高危 |
handlebars 存在原型污染漏洞 | MAID | MPS-2022-13730 | 高危 | |
handlebars 存在代码注入漏洞 | 代码注入 | MPS-2022-13733 | 高危 | |
handlebars 存在拒绝服务漏洞 | 拒绝服务 | MPS-2022-13734 | 严重 | |
handlebars | 拒绝服务 | MPS-2022-13735 | 中危 | |
js-yaml 存在拒绝服务漏洞 | 拒绝服务 | MPS-2022-13820 | 中危 | |
js-yaml | 代码注入 | MPS-2022-13822 | 高危 | |
minimatch | 拒绝服务 | MPS-2022-13882 | 高危 | |
uglify-js | ReDoS | MPS-2022-14112 | 中危 | |
simple-get 信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2022-2533 | CVE-2022-0355 | 高危 |
node-semver 安全漏洞 | ReDoS | MPS-2022-5166 | CVE-2022-25883 | 高危 |
mocha ReDoS 漏洞 | ReDoS | MPS-2022-54598 | 高危 | |
minimatch 资源管理错误漏洞 | 拒绝服务 | MPS-2022-59845 | CVE-2022-3517 | 高危 |
缺陷组件
组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
---|---|---|---|---|
shell-quote | 0.0.1 | 1.7.3 | 间接依赖 | 强烈建议修复 |
growl | 1.7.0 | 1.10.0 | 间接依赖 | 强烈建议修复 |
minimist | 0.0.10 | 1.2.6 | 间接依赖 | 建议修复 |
js-yaml | 3.12.0 | 3.13.1 | 间接依赖 | 建议修复 |
simple-get | 2.8.1 | 4.0.1 | 间接依赖 | 建议修复 |
ini | 1.3.5 | 1.3.6 | 间接依赖 | 建议修复 |
mocha | 1.20.1 | 6.0.0 | 直接依赖 | 建议修复 |
minimatch | 0.3.0 | 3.0.5 | 间接依赖 | 建议修复 |
shelljs | 0.3.0 | 0.8.5 | 间接依赖 | 建议修复 |
uglify-js | 2.3.6 | 3.14.3 | 间接依赖 | 建议修复 |
handlebars | 1.3.0 | 4.7.7 | 间接依赖 | 建议修复 |
chownr | 1.0.1 | 1.1.0 | 间接依赖 | 可选修复 |
cli | 0.6.6 | 1.0.0 | 间接依赖 | 可选修复 |
semver | 5.5.1 | 7.5.2 | 间接依赖 | 可选修复 |
bl | 1.2.2 | 4.0.3 | 间接依赖 | 可选修复 |
许可证风险
许可证类型 | 相关组件 | 许可证风险 |
---|---|---|
MIT | 129 | 低 |
ISC | 20 | 低 |
BSD | 3 | 低 |
BSD-2-Clause | 7 | 低 |
BSD-3-Clause | 6 | 低 |
WTFPL | 1 | 低 |
Apache-2.0 | 3 | 低 |
BSD-like | 1 | 低 |
SBOM清单
组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
---|---|---|---|
domain-browser | 1.1.7 | 间接依赖 | npm |
shell-quote | 0.0.1 | 间接依赖 | npm |
set-blocking | 2.0.0 | 间接依赖 | npm |
end-of-stream | 1.4.1 | 间接依赖 | npm |
vm-browserify | 0.0.4 | 间接依赖 | npm |
debug | 3.1.0 | 间接依赖 | npm |
astw | 2.2.0 | 间接依赖 | npm |
duplexer2 | 0.0.2 | 间接依赖 | npm |
JSONStream | 0.7.4 | 间接依赖 | npm |
string-width | 1.0.2 | 间接依赖 | npm |
readable-stream | 1.1.14 | 间接依赖 | npm |
node-abi | 2.4.3 | 间接依赖 | npm |
callsite | 1.0.0 | 间接依赖 | npm |
through | 2.3.8 | 间接依赖 | npm |
shallow-copy | 0.0.1 | 间接依赖 | npm |
mkdirp | 0.5.1 | 间接依赖 | npm |
signal-exit | 3.0.2 | 间接依赖 | npm |
are-we-there-yet | 1.1.5 | 间接依赖 | npm |
commondir | 0.0.1 | 间接依赖 | npm |
domutils | 1.5.1 | 间接依赖 | npm |
jshint | 2.5.11 | 直接依赖 | npm |
builtins | 0.0.7 | 间接依赖 | npm |
ansi-regex | 2.1.1 | 间接依赖 | npm |
prebuild-install | 2.5.3 | 间接依赖 | npm |
domelementtype | 1.3.0 | 间接依赖 | npm |
diff | 1.0.7 | 间接依赖 | npm |
strip-json-comments | 1.0.4 | 间接依赖 | npm |
is-array | 1.0.1 | 间接依赖 | npm |
rfile | 1.0.0 | 间接依赖 | npm |
code-point-at | 1.1.0 | 间接依赖 | npm |
buffer-alloc | 1.2.0 | 间接依赖 | npm |
buffer-fill | 1.0.0 | 间接依赖 | npm |
events | 1.0.2 | 间接依赖 | npm |
escope | 0.0.16 | 间接依赖 | npm |
pump | 2.0.1 | 间接依赖 | npm |
ieee754 | 1.1.12 | 间接依赖 | npm |
fileset | 0.1.8 | 间接依赖 | npm |
acorn | 4.0.13 | 间接依赖 | npm |
which | 1.0.9 | 间接依赖 | npm |
assert | 1.1.2 | 间接依赖 | npm |
source-map | 0.1.43 | 间接依赖 | npm |
parents | 0.0.3 | 间接依赖 | npm |
crypto-browserify | 1.0.9 | 间接依赖 | npm |
ms | 2.0.0 | 间接依赖 | npm |
expand-template | 1.1.1 | 间接依赖 | npm |
htmlparser2 | 3.8.3 | 间接依赖 | npm |
os-browserify | 0.1.2 | 间接依赖 | npm |
estraverse | 1.5.1 | 间接依赖 | npm |
through2 | 0.4.2 | 间接依赖 | npm |
istanbul | 0.2.16 | 直接依赖 | npm |
tar-stream | 1.6.1 | 间接依赖 | npm |
stream-browserify | 1.0.0 | 间接依赖 | npm |
chownr | 1.0.1 | 间接依赖 | npm |
combine-source-map | 0.3.0 | 间接依赖 | npm |
dom-serializer | 0.1.0 | 间接依赖 | npm |
growl | 1.7.0 | 间接依赖 | npm |
underscore | git://github.com/jashkenas/underscore.git#d5fe0fd4060f13b40608cb9d92eda6d857e8752c | 间接依赖 | npm |
process | 0.7.0 | 间接依赖 | npm |
uglify-to-browserify | 1.0.2 | 直接依赖 | npm |
path-platform | 0.0.1 | 间接依赖 | npm |
fs-constants | 1.0.0 | 间接依赖 | npm |
insert-module-globals | 6.0.0 | 间接依赖 | npm |
semver | 5.5.1 | 间接依赖 | npm |
os-homedir | 1.0.2 | 间接依赖 | npm |
timers-browserify | 1.0.3 | 间接依赖 | npm |
convert-source-map | 0.3.5 | 间接依赖 | npm |
window-size | 0.1.0 | 间接依赖 | npm |
mocha | 1.20.1 | 直接依赖 | npm |
async | 0.2.10 | 间接依赖 | npm |
detect-libc | 1.0.3 | 间接依赖 | npm |
browser-pack | 2.0.1 | 间接依赖 | npm |
console-browserify | 1.0.3 | 间接依赖 | npm |
simple-concat | 1.0.0 | 间接依赖 | npm |
glob | 3.2.11 | 间接依赖 | npm |
inline-source-map | 0.3.1 | 间接依赖 | npm |
url | 0.10.3 | 间接依赖 | npm |
process-nextick-args | 2.0.0 | 直接依赖 | npm |
camelcase | 1.2.1 | 间接依赖 | npm |
decompress-response | 3.3.0 | 间接依赖 | npm |
handlebars | 1.3.0 | 间接依赖 | npm |
minimist | 0.0.10 | 间接依赖 | npm |
esrefactor | 0.1.0 | 间接依赖 | npm |
expect.js | 0.3.1 | 直接依赖 | npm |
pako | 0.2.9 | 间接依赖 | npm |
amdefine | 1.0.1 | 间接依赖 | npm |
constants-browserify | 0.0.1 | 间接依赖 | npm |
tar-fs | 1.16.3 | 间接依赖 | npm |
wordwrap | 0.0.3 | 间接依赖 | npm |
resolve | 0.7.4 | 间接依赖 | npm |
@types/expect.js | 0.3.29 | 直接依赖 | npm |
module-deps | 2.1.5 | 间接依赖 | npm |
commander | 2.0.0 | 间接依赖 | npm |
browser-resolve | 1.11.3 | 间接依赖 | npm |
base64-js | 0.0.7 | 间接依赖 | npm |
concat-stream | 1.4.11 | 间接依赖 | npm |
graceful-fs | 2.0.3 | 直接依赖 | npm |
benchmark | 1.0.0 | 直接依赖 | npm |
umd | 2.1.0 | 间接依赖 | npm |
jade | 0.26.3 | 间接依赖 | npm |
deep-extend | 0.6.0 | 间接依赖 | npm |
strip-ansi | 3.0.1 | 间接依赖 | npm |
which-pm-runs | 1.0.0 | 间接依赖 | npm |
delegates | 1.0.0 | 间接依赖 | npm |
entities | 1.0.0 | 间接依赖 | npm |
punycode | 1.2.4 | 间接依赖 | npm |
wide-align | 1.1.3 | 间接依赖 | npm |
optimist | 0.3.7 | 间接依赖 | npm |
bindings | 1.3.0 | 间接依赖 | npm |
ini | 1.3.5 | 间接依赖 | npm |
cli | 0.6.6 | 间接依赖 | npm |
wrappy | 1.0.2 | 间接依赖 | npm |
typedarray | 0.0.6 | 间接依赖 | npm |
object-assign | 4.1.1 | 间接依赖 | npm |
duplexer | 0.1.1 | 间接依赖 | npm |
aproba | 1.2.0 | 间接依赖 | npm |
string_decoder | 0.0.1 | 间接依赖 | npm |
shelljs | 0.3.0 | 间接依赖 | npm |
deps-sort | 0.1.2 | 间接依赖 | npm |
derequire | 0.8.0 | 间接依赖 | npm |
esprima-fb | 3001.1.0-dev-harmony-fb | 间接依赖 | npm |
console-control-strings | 1.1.0 | 间接依赖 | npm |
defined | 0.0.0 | 间接依赖 | npm |
nopt | 3.0.6 | 间接依赖 | npm |
indexof | 0.0.1 | 间接依赖 | npm |
browserify | 4.1.11 | 直接依赖 | npm |
xtend | 3.0.0 | 间接依赖 | npm |
should | 4.0.4 | 直接依赖 | npm |
npmlog | 4.1.2 | 间接依赖 | npm |
has-unicode | 2.0.1 | 间接依赖 | npm |
http-browserify | 1.3.2 | 间接依赖 | npm |
bl | 1.2.2 | 间接依赖 | npm |
abbrev | 1.0.9 | 间接依赖 | npm |
object-keys | 0.4.0 | 直接依赖 | npm |
gauge | 2.7.4 | 间接依赖 | npm |
detective | 3.1.0 | 间接依赖 | npm |
lexical-scope | 1.1.1 | 间接依赖 | npm |
tty-browserify | 0.0.1 | 间接依赖 | npm |
decamelize | 1.2.0 | 间接依赖 | npm |
path-browserify | 0.0.1 | 间接依赖 | npm |
jsonparse | 0.0.5 | 间接依赖 | npm |
uglify-js | 2.3.6 | 间接依赖 | npm |
is-fullwidth-code-point | 1.0.0 | 间接依赖 | npm |
microtime | 2.1.8 | 直接依赖 | npm |
escodegen | 1.1.0 | 间接依赖 | npm |
exit | 0.1.2 | 间接依赖 | npm |
util | 0.10.4 | 间接依赖 | npm |
minimatch | 0.3.0 | 间接依赖 | npm |
github-from-package | 0.0.0 | 间接依赖 | npm |
https-browserify | 0.0.1 | 间接依赖 | npm |
esutils | 1.0.0 | 间接依赖 | npm |
lru-cache | 2.7.3 | 间接依赖 | npm |
sprintf-js | 1.0.3 | 间接依赖 | npm |
js-yaml | 3.12.0 | 间接依赖 | npm |
ruglify | 1.0.0 | 间接依赖 | npm |
lodash | git://github.com/lodash/lodash.git#6018350ac10d5ce6a5b7db625140b82aeab804df | 直接依赖 | npm |
@types/mocha | 5.2.5 | 直接依赖 | npm |
safe-buffer | 5.1.2 | 间接依赖 | npm |
simple-get | 2.8.1 | 间接依赖 | npm |
syntax-error | 1.1.6 | 间接依赖 | npm |
date-now | 0.1.4 | 直接依赖 | npm |
querystring-es3 | 0.2.1 | 间接依赖 | npm |
core-util-is | 1.0.2 | 间接依赖 | npm |
yargs | 3.5.4 | 直接依赖 | npm |
argparse | 1.0.10 | 间接依赖 | npm |
mimic-response | 1.0.1 | 间接依赖 | npm |
rc | 1.2.8 | 间接依赖 | npm |
typescript | 2.9.2 | 直接依赖 | npm |
subarg | 0.0.1 | 间接依赖 | npm |
querystring | 0.2.0 | 间接依赖 | npm |
isarray | 0.0.1 | 间接依赖 | npm |
inherits | 2.0.3 | 间接依赖 | npm |
domhandler | 2.3.0 | 间接依赖 | npm |
deep-equal | 0.1.2 | 间接依赖 | npm |
sigmund | 1.0.1 | 间接依赖 | npm |
util-deprecate | 1.0.2 | 直接依赖 | npm |
buffer | 2.8.2 | 间接依赖 | npm |
tunnel-agent | 0.6.0 | 间接依赖 | npm |
@types/node | 10.9.4 | 直接依赖 | npm |
to-buffer | 1.1.1 | 间接依赖 | npm |
buffer-alloc-unsafe | 1.1.0 | 间接依赖 | npm |
Base64 | 0.2.1 | 间接依赖 | npm |
once | 1.4.0 | 间接依赖 | npm |
browserify-zlib | 0.1.4 | 间接依赖 | npm |
nan | 2.10.0 | 间接依赖 | npm |
noop-logger | 0.1.1 | 间接依赖 | npm |
stream-combiner | 0.0.4 | 间接依赖 | npm |