基础信息
项目名称:curiefense/curiefense
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1716983948953387008/1716983948995330048
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| 低危 | ||||
| Certifi 存在数据真实性验证不充分漏洞 | 对数据真实性的验证不充分 | MPS-2022-1918 | CVE-2022-23491 | 中危 |
| GitPython 存在远程代码执行漏洞 | OS命令注入 | MPS-2022-5090 | CVE-2022-24439 | 高危 |
| Python 安全漏洞 | ReDoS | MPS-2022-57238 | CVE-2022-40897 | 中危 |
| urllib3 安全漏洞 | 未授权敏感信息泄露 | MPS-46py-nxai | CVE-2023-45803 | 中危 |
| PyPI仓库charset-normalizer组件包内嵌恶意代码 | 内嵌恶意代码 | MPS-67h0-j1fr | 高危 | |
| Certifi 数据伪造问题漏洞 | 对数据真实性的验证不充分 | MPS-ck78-r6zg | CVE-2023-37920 | 严重 |
| Requests Proxy-Authorization 标头泄露漏洞 | 未授权敏感信息泄露 | MPS-hr61-tzey | CVE-2023-32681 | 中危 |
| urllib3 HTTP重定向信息泄露漏洞 | 未授权敏感信息泄露 | MPS-s0oy-afbw | CVE-2023-43804 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| charset-normalizer | 2.0.12 | 间接依赖 | 强烈建议修复 | |
| certifi | 2021.10.8 | 2023.7.22 | 间接依赖 | 建议修复 |
| urllib3 | 1.26.9 | 间接依赖 | 建议修复 | |
| requests | 2.27.1 | 2.31.0 | 间接依赖 | 建议修复 |
| GitPython | 3.1.27 | 间接依赖 | 建议修复 | |
| pydash | 5.0.2 | 6.0.0 | 间接依赖 | 可选修复 |
| setuptools | 39.2.0 | 65.5.1 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| BSD-3-Clause | 6 | 低 |
| Apache-2.0 | 16 | 低 |
| 自定义许可证 | 12 | 低 |
| MIT | 21 | 低 |
| Unlicense | 1 | 低 |
| MPL-2.0 | 1 | 低 |
| GPL-2.0 | 1 | 中 |
| BSD-2-Clause | 2 | 低 |
| ISC | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| git | 间接依赖 | pip | |
| click | 7.1.2 | 间接依赖 | pip |
| Set | 间接依赖 | pip | |
| googleapis-common-protos | 1.56.0 | 间接依赖 | pip |
| MarkupSafe | 2.0.1 | 间接依赖 | pip |
| libc.so.6 | 间接依赖 | ||
| fastapi | 0.87.0 | 间接依赖 | pip |
| Optional | 间接依赖 | pip | |
| botocore | 1.25.3 | 间接依赖 | pip |
| google-auth | 2.6.6 | 间接依赖 | pip |
| Any | 间接依赖 | pip | |
| protobuf | 3.20.1 | 间接依赖 | pip |
| gitdb | 4.0.9 | 间接依赖 | pip |
| pydash | 5.0.2 | 间接依赖 | pip |
| BLOBS_PATH | 间接依赖 | pip | |
| get_driver | 间接依赖 | pip | |
| boto3 | 1.22.3 | 间接依赖 | pip |
| six | 1.16.0 | 间接依赖 | pip |
| libgcc_s.so.1 | 间接依赖 | ||
| pymongo | 4.1.1 | 间接依赖 | pip |
| pycparser | 2.21 | 间接依赖 | pip |
| jsonpath-ng | 1.5.3 | 间接依赖 | pip |
| timedelta | 间接依赖 | pip | |
| ld-linux-x86-64.so.2 | 间接依赖 | ||
| cffi | 1.15.0 | 间接依赖 | pip |
| cachetools | 5.0.0 | 间接依赖 | pip |
| aniso8601 | 9.0.1 | 间接依赖 | pip |
| filelock | 3.6.0 | 间接依赖 | pip |
| google-crc32c | 1.1.2 | 间接依赖 | pip |
| bootstrap_small_config_json | 间接依赖 | pip | |
| jmespath | 1.0.0 | 间接依赖 | pip |
| urllib3 | 1.26.9 | 间接依赖 | pip |
| libhs_runtime.so.4 | 间接依赖 | ||
| charset-normalizer | 2.0.12 | 间接依赖 | pip |
| colorama | 0.4.4 | 间接依赖 | pip |
| Werkzeug | 0.16.1 | 间接依赖 | pip |
| jsonschema | 4.4.0 | 间接依赖 | pip |
| NotFoundError | 间接依赖 | pip | |
| itsdangerous | 1.1.0 | 间接依赖 | pip |
| task | 间接依赖 | pip | |
| configparser | 5.2.0 | 间接依赖 | pip |
| rsa | 4.8 | 间接依赖 | pip |
| pyrsistent | 0.18.1 | 间接依赖 | pip |
| inflection | 0.5.1 | 间接依赖 | pip |
| decorator | 5.1.1 | 间接依赖 | pip |
| google-cloud-core | 2.3.0 | 间接依赖 | pip |
| certifi | 2021.10.8 | 间接依赖 | pip |
| importlib-resources | 5.7.1 | 间接依赖 | pip |
| Jinja2 | 2.11.3 | 间接依赖 | pip |
| model | 间接依赖 | pip | |
| simple_rest_client | 间接依赖 | pip | |
| libdl.so.2 | 间接依赖 | ||
| botocore-stubs | 1.25.3 | 间接依赖 | pip |
| fasteners | 0.17.3 | 间接依赖 | pip |
| uWSGI | 2.0.20 | 间接依赖 | pip |
| pyasn1-modules | 0.2.8 | 间接依赖 | pip |
| libhs.so.4 | 间接依赖 | ||
| google-cloud-storage | 2.3.0 | 间接依赖 | pip |
| google-api-core | 2.7.2 | 间接依赖 | pip |
| AuthError | 间接依赖 | pip | |
| cloudstorage | 0.10.1 | 间接依赖 | pip |
| curieconf | 间接依赖 | pip | |
| minio | 6.0.2 | 间接依赖 | pip |
| attrs | 21.4.0 | 间接依赖 | pip |
| prometheus-fastapi-instrumentator | 5.9.1 | 间接依赖 | pip |
| GitPython | 3.1.27 | 间接依赖 | pip |
| pydantic | 1.10.2 | 间接依赖 | pip |
| mypy-boto3-s3 | 1.22.0.post1 | 间接依赖 | pip |
| DOCUMENTS_PATH | 间接依赖 | pip | |
| HttpUser | 间接依赖 | pip | |
| idna | 3.3 | 间接依赖 | pip |
| fields | 间接依赖 | pip | |
| python-dateutil | 2.8.2 | 间接依赖 | pip |
| ply | 3.11 | 间接依赖 | pip |
| zipp | 3.8.0 | 间接依赖 | pip |
| boto3-stubs | 1.22.3 | 间接依赖 | pip |
| pyasn1 | 0.4.8 | 间接依赖 | pip |
| pytz | 2022.1 | 间接依赖 | pip |
| python-magic | 0.4.25 | 间接依赖 | pip |
| libhs_runtime.so.5 | 间接依赖 | ||
| setuptools | 39.2.0 | 间接依赖 | pip |
| List | 间接依赖 | pip | |
| uvicorn | 0.19.0 | 间接依赖 | pip |
| bootstrap_config_json | 间接依赖 | pip | |
| DriverName | 间接依赖 | pip | |
| requests | 2.27.1 | 间接依赖 | pip |
| librt.so.1 | 间接依赖 | ||
| libhs.so.5 | 间接依赖 | ||
| s3transfer | 0.5.2 | 间接依赖 | pip |
| typing_extensions | 4.2.0 | 间接依赖 | pip |
| smmap | 5.0.0 | 间接依赖 | pip |
| xattr | 0.9.9 | 间接依赖 | pip |
| google-resumable-media | 2.3.2 | 间接依赖 | pip |
| libpthread.so.0 | 间接依赖 | ||
| gitdb | 间接依赖 | pip |