基础信息
项目名称:dcm4che/dcm4che
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1717086431574884352/1717086431616827392
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Apache Camel 输入验证错误漏洞 | 不恰当地信任反向DNS | MPS-2020-7440 | CVE-2020-11971 | 高危 |
| keycloak 安全漏洞 | 使用基本弱点进行的认证绕过 | MPS-2021-1761 | CVE-2020-14359 | 高危 |
| Red Hat Keycloak 身份验证绕过漏洞 | 用户管理不正确 | MPS-2021-30695 | CVE-2021-3754 | 中危 |
| Red Hat Keycloak 授权问题漏洞 | 身份验证不当 | MPS-2021-32383 | CVE-2021-3827 | 中危 |
| commons-codec:commons-codec 存在信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2022-11853 | 低危 | |
| XStream 缓冲区错误漏洞 | 输入验证不恰当 | MPS-2022-57061 | CVE-2022-40156 | 低危 |
| xstream project跨界内存写漏洞 | 跨界内存写 | MPS-2022-57062 | CVE-2022-40155 | 高危 |
| xstream project跨界内存写漏洞 | 跨界内存写 | MPS-2022-57063 | CVE-2022-40154 | 高危 |
| XStream 缓冲区错误漏洞 | 越界写入 | MPS-2022-57065 | CVE-2022-40152 | 高危 |
| Apache Commons Compress 资源管理错误漏洞 | 拒绝服务 | MPS-9azi-sfqp | CVE-2023-42503 | 中危 |
| 【存在争议】FasterXML jackson-databind 代码问题漏洞 | 不加限制或调节的资源分配 | MPS-z1bx-p8y2 | CVE-2023-35116 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| org.apache.camel:camel-core | 2.24.0 | 2.25.1 | 直接依赖 | 建议修复 |
| com.fasterxml.jackson.core:jackson-databind | 2.15.2 | 间接依赖 | 建议修复 | |
| org.keycloak:keycloak-server-spi-private | 22.0.4 | 直接依赖 | 建议修复 | |
| org.keycloak:keycloak-core | 22.0.4 | 直接依赖 | 建议修复 | |
| com.fasterxml.woodstox:woodstox-core | 6.2.8 | 6.4.0 | 间接依赖 | 建议修复 |
| org.apache.commons:commons-compress | 1.23.0 | 1.24.0 | 直接依赖 | 可选修复 |
| commons-codec:commons-codec | 1.11 | 1.13 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| 自定义许可证 | 33 | 低 |
| Apache-2.0 | 41 | 低 |
| GPL-2.0-with-classpath-exception | 1 | 中 |
| EPL-2.0 | 7 | 低 |
| LGPL-3.0-or-later | 4 | 低 |
| EPL-1.0 | 2 | 低 |
| MIT-0 | 1 | 低 |
| MIT | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| org.glassfish.jaxb:txw2 | 4.0.1 | 间接依赖 | maven |
| org.apache.commons:commons-compress | 1.23.0 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-common | 5.31.1 | 直接依赖 | maven |
| org.apache.commons:commons-csv | 1.10.0 | 直接依赖 | maven |
| com.sun.xml.bind.external:relaxng-datatype | 4.0.2 | 间接依赖 | maven |
| org.jboss:jandex | 2.4.3.Final | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-hl7pix | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcm2xml | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-imageio-rle | 5.31.1 | 直接依赖 | maven |
| org.apache.james:apache-mime4j-core | 0.8.9 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-upsscu | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-json2index | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcmdump | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-core | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-ianscu | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcm2str | 5.31.1 | 直接依赖 | maven |
| org.jvnet.mimepull:mimepull | 1.10.0 | 间接依赖 | maven |
| org.dcm4che:dcm4che-soundex | 5.31.1 | 直接依赖 | maven |
| org.keycloak:keycloak-server-spi | 22.0.4 | 直接依赖 | maven |
| org.dcm4che:dcm4che-dict | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-dict-priv | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-xdsi | 5.31.1 | 直接依赖 | maven |
| com.sun.media:jai_imageio | 1.2-pre-dr-b04 | 直接依赖 | maven |
| org.keycloak:keycloak-common | 22.0.4 | 间接依赖 | maven |
| jakarta.xml.bind:jakarta.xml.bind-api | 4.0.0 | 直接依赖 | maven |
| jakarta.activation:jakarta.activation-api | 2.1.2 | 直接依赖 | maven |
| com.sun.istack:istack-commons-tools | 4.1.2 | 间接依赖 | maven |
| jakarta.ws.rs:jakarta.ws.rs-api | 3.1.0 | 直接依赖 | maven |
| commons-io:commons-io | 2.11.0 | 间接依赖 | maven |
| com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider | 2.14.3 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-storescu | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-hl7rcv | 5.31.1 | 直接依赖 | maven |
| org.glassfish.jaxb:jaxb-xjc | 4.0.1 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-pdf2dcm | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-net-imageio | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-mppsscp | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-emf2sf | 5.31.1 | 直接依赖 | maven |
| com.github.java-json-tools:json-patch | 1.13 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-wadows | 5.31.1 | 直接依赖 | maven |
| com.sun.xml.bind:jaxb-impl | 2.3.0 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-stowrs | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcmvalidate | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-storescp | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcm2dcm | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-deident | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-ianscp | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-emf | 5.31.1 | 直接依赖 | maven |
| org.glassfish.jaxb:txw2 | 4.0.2 | 间接依赖 | maven |
| org.jboss.resteasy:resteasy-core | 6.2.4.Final | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-annotations | 2.14.3 | 间接依赖 | maven |
| org.glassfish.ha:ha-api | 3.1.13 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcm2jpg | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-agfa2sr | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-image | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-audit-keycloak | 5.31.1 | 直接依赖 | maven |
| org.weasis.core:weasis-core-img | 4.8.0.1 | 直接依赖 | maven |
| com.sun.xml.messaging.saaj:saaj-impl | 3.0.0 | 间接依赖 | maven |
| org.dcm4che:dcm4che-conf-api | 5.31.1 | 直接依赖 | maven |
| org.eclipse.angus:angus-mail | 1.0.0 | 间接依赖 | maven |
| org.dcm4che:dcm4che-qstar | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-syslogd | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcmldap | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcm2pdf | 5.31.1 | 直接依赖 | maven |
| org.jboss.resteasy:resteasy-jaxb-provider | 6.2.4.Final | 间接依赖 | maven |
| org.jboss.resteasy:resteasy-client | 6.2.4.Final | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-deidentify | 5.31.1 | 直接依赖 | maven |
| org.apache.james:apache-mime4j-dom | 0.8.9 | 间接依赖 | maven |
| com.sun.xml.bind:jaxb-core | 2.3.0 | 间接依赖 | maven |
| org.jboss.resteasy:resteasy-multipart-provider | 6.2.4.Final | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-hl7snd | 5.31.1 | 直接依赖 | maven |
| org.eclipse.parsson:parsson | 1.1.3 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcmqrscp | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool.ihe:dcm4che-tool-ihe-modality | 5.31.1 | 直接依赖 | maven |
| commons-codec:commons-codec | 1.11 | 间接依赖 | maven |
| org.glassfish.jaxb:jaxb-jxc | 4.0.2 | 间接依赖 | maven |
| org.dcm4che:dcm4che-conf-ldap-audit | 5.31.1 | 直接依赖 | maven |
| org.glassfish.jaxb:jaxb-core | 4.0.1 | 间接依赖 | maven |
| org.eclipse.angus:angus-activation | 2.0.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-findscu | 5.31.1 | 直接依赖 | maven |
| com.sun.xml.stream.buffer:streambuffer | 2.1.0 | 间接依赖 | maven |
| org.dcm4che:dcm4che-dcmr | 5.31.1 | 直接依赖 | maven |
| com.sun.media:clibwrapper_jiio | 1.2-pre-dr-b04 | 间接依赖 | maven |
| com.github.java-json-tools:btf | 1.3 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcm2json | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-tpl2xml | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-stowrsd | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-conf-ldap | 5.31.1 | 直接依赖 | maven |
| org.jboss.resteasy:resteasy-jackson2-provider | 6.2.4.Final | 间接依赖 | maven |
| org.dcm4che:dcm4che-net-hl7 | 5.31.1 | 直接依赖 | maven |
| org.weasis.thirdparty.org.opencv:libopencv_java | 4.8.0-dcm | 直接依赖 | maven |
| org.dcm4che:dcm4che-audit | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-xml2hl7 | 5.31.1 | 直接依赖 | maven |
| org.jboss.resteasy:resteasy-core-spi | 6.2.4.Final | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-qstar | 5.31.1 | 直接依赖 | maven |
| org.glassfish.jaxb:xsom | 4.0.2 | 间接依赖 | maven |
| org.dcm4che:dcm4che-mime | 5.31.1 | 直接依赖 | maven |
| org.glassfish.external:management-api | 3.2.3 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-json2dcm | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-imageio-opencv | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-jpg2dcm | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-js-dict | 5.31.1 | 直接依赖 | maven |
| com.github.java-json-tools:msg-simple | 1.2 | 间接依赖 | maven |
| com.github.java-json-tools:jackson-coreutils | 2.0 | 间接依赖 | maven |
| org.apache.httpcomponents:httpclient | 4.5.14 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-syslog | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-conf-json | 5.31.1 | 直接依赖 | maven |
| com.sun.istack:istack-commons-runtime | 4.1.2 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-mkkos | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-maskpxdata | 5.31.1 | 直接依赖 | maven |
| org.apache.james:apache-mime4j-storage | 0.8.9 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-annotations | 2.15.2 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-hl72xml | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-stgcmtscu | 5.31.1 | 直接依赖 | maven |
| org.weasis.thirdparty.org.opencv:opencv_java | 4.8.0-dcm | 直接依赖 | maven |
| jakarta.json:jakarta.json-api | 2.1.2 | 直接依赖 | maven |
| jakarta.validation:jakarta.validation-api | 3.0.2 | 间接依赖 | maven |
| org.dcm4che:dcm4che-net-audit | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-conf-ldap-hl7 | 5.31.1 | 直接依赖 | maven |
| org.glassfish.jaxb:jaxb-core | 4.0.2 | 间接依赖 | maven |
| jakarta.mail:jakarta.mail-api | 2.1.0 | 间接依赖 | maven |
| org.glassfish.gmbal:gmbal-api-only | 4.0.3 | 间接依赖 | maven |
| com.ibm.async:asyncutil | 0.1.0 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-hl7pdq | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcmbenchmark | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-xroad | 5.31.1 | 直接依赖 | maven |
| org.glassfish.jaxb:jaxb-runtime | 4.0.1 | 间接依赖 | maven |
| org.jboss.logging:jboss-logging | 3.5.0.Final | 间接依赖 | maven |
| org.dcm4che:dcm4che-json | 5.31.1 | 直接依赖 | maven |
| org.keycloak:keycloak-admin-client | 22.0.4 | 直接依赖 | maven |
| jakarta.xml.soap:jakarta.xml.soap-api | 3.0.0 | 间接依赖 | maven |
| org.glassfish.jaxb:codemodel | 4.0.2 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-agfa2dcm | 5.31.1 | 直接依赖 | maven |
| com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base | 2.14.3 | 间接依赖 | maven |
| org.dcm4che:dcm4che-conf-ldap-imageio | 5.31.1 | 直接依赖 | maven |
| org.apache.httpcomponents:httpcore | 4.4.16 | 间接依赖 | maven |
| org.codehaus.woodstox:stax2-api | 4.2.1 | 间接依赖 | maven |
| commons-codec:commons-codec | 1.15 | 间接依赖 | maven |
| org.jvnet.staxex:stax-ex | 2.1.0 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-databind | 2.15.2 | 间接依赖 | maven |
| org.keycloak:keycloak-server-spi-private | 22.0.4 | 直接依赖 | maven |
| com.sun.istack:istack-commons-runtime | 4.1.1 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-getscu | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-mppsscu | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-ws-rs | 5.31.1 | 直接依赖 | maven |
| com.sun.media:clib_jiio | 1.2-pre-dr-b04 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-wadors | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-xroad | 5.31.1 | 直接依赖 | maven |
| com.sun.xml.bind.external:rngom | 4.0.2 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-json2rst | 5.31.1 | 直接依赖 | maven |
| ch.qos.logback:logback-core | 1.4.4 | 间接依赖 | maven |
| org.jboss.resteasy:resteasy-client-api | 6.2.4.Final | 间接依赖 | maven |
| org.dcm4che:dcm4che-imageio | 5.31.1 | 直接依赖 | maven |
| org.reactivestreams:reactive-streams | 1.0.4 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcmassoc | 5.31.1 | 直接依赖 | maven |
| com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations | 2.14.3 | 间接依赖 | maven |
| org.dcm4che:dcm4che-hl7 | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-dcmdir | 5.31.1 | 直接依赖 | maven |
| org.apache.camel:camel-core | 2.24.0 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-movescu | 5.31.1 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-xml2dcm | 5.31.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-net | 5.31.1 | 直接依赖 | maven |
| jakarta.annotation:jakarta.annotation-api | 2.1.1 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-json2props | 5.31.1 | 直接依赖 | maven |
| commons-logging:commons-logging | 1.2 | 间接依赖 | maven |
| com.fasterxml.woodstox:woodstox-core | 6.2.8 | 间接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-fixlo2un | 5.31.1 | 直接依赖 | maven |
| com.fasterxml.jackson.core:jackson-core | 2.15.2 | 间接依赖 | maven |
| ch.qos.logback:logback-classic | 1.4.4 | 直接依赖 | maven |
| org.slf4j:slf4j-api | 2.0.1 | 直接依赖 | maven |
| org.dcm4che:dcm4che-conf-api-hl7 | 5.31.1 | 直接依赖 | maven |
| org.keycloak:keycloak-core | 22.0.4 | 直接依赖 | maven |
| com.sun.xml.ws:rt | 4.0.0 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-planarconfig | 5.31.1 | 直接依赖 | maven |
| jakarta.xml.ws:jakarta.xml.ws-api | 4.0.0 | 间接依赖 | maven |
| commons-cli:commons-cli | 1.5.0 | 直接依赖 | maven |
| org.dcm4che.tool:dcm4che-tool-swappxdata | 5.31.1 | 直接依赖 | maven |
| com.sun.xml.ws:policy | 4.0.0 | 间接依赖 | maven |