基础信息
项目名称:eea-oasis/baseline
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1717408589496844288/1717408589542981632
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| 低危 | ||||
| NATS Server 访问控制错误漏洞 | 对异常条件的处理不恰当 | MPS-2021-3162 | CVE-2021-3127 | 高危 |
| Gin-Gonic Gin 环境问题漏洞 | HTTP请求走私 | MPS-2021-5932 | CVE-2020-28483 | 高危 |
| Go-Ethereum 代码问题漏洞 | 拒绝服务 | MPS-2022-1762 | CVE-2022-23328 | 高危 |
| Google Golang 资源管理错误漏洞 | MPS-2022-58307 | CVE-2022-41723 | 高危 | |
| Google Golang 资源管理错误漏洞 | 不加限制或调节的资源分配 | MPS-2022-58311 | CVE-2022-41727 | 中危 |
| btcd 安全漏洞 | 缓冲区溢出 | MPS-2022-63685 | CVE-2022-44797 | 严重 |
| Google Go 权限许可和访问控制问题漏洞 | 权限管理不当 | MPS-2022-9049 | CVE-2022-29526 | 中危 |
| Gin-Gonic Gin 输入验证错误漏洞 | 输入验证不恰当 | MPS-2023-5119 | CVE-2023-26125 | 高危 |
| Gin 安全漏洞 | 下载代码缺少完整性检查 | MPS-2023-9711 | CVE-2023-29401 | 中危 |
| Geth 安全漏洞 | MPS-9vf8-lakn | CVE-2023-42319 | 高危 | |
| Ethereum Go-ethereum 资源管理错误漏洞 | 拒绝服务 | MPS-acjf-e36w | CVE-2023-40591 | 高危 |
| gnark 安全漏洞 | 不充分的比较 | MPS-v53m-cjao | CVE-2023-44378 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| golang.org/x/image | v0.0.0-20200430140353-33d19683fad8 | 0.5.0 | 间接依赖 | 建议修复 |
| golang.org/x/net | v0.0.0-20210226172049-e18ecbb05110 | 0.17.0 | 间接依赖 | 建议修复 |
| github.com/gin-gonic/gin | v1.6.3 | 1.9.1 | 直接依赖 | 建议修复 |
| github.com/ethereum/go-ethereum | v1.9.25 | 间接依赖 | 建议修复 | |
| golang.org/x/net | v0.0.0-20200505041828-1ed23360d12c | 0.17.0 | 直接依赖 | 建议修复 |
| github.com/btcsuite/btcd | v0.0.0-20171128150713-2e60448ffcc6 | 0.23.2 | 间接依赖 | 建议修复 |
| github.com/nats-io/jwt | v1.2.2 | 1.2.3 | 间接依赖 | 建议修复 |
| github.com/consensys/gnark-crypto | v0.4.1-0.20210428083642-6bd055b79906 | 0.12.0 | 直接依赖 | 可选修复 |
| github.com/consensys/gnark-crypto | v0.5.4-0.20211222202820-aee0c136fb9f | 0.12.0 | 直接依赖 | 可选修复 |
| golang.org/x/sys | v0.0.0-20200501145240-bc7a7d42d5c3 | 0.1.0 | 间接依赖 | 可选修复 |
| github.com/consensys/gnark | v0.4.0 | 0.9.0 | 直接依赖 | 可选修复 |
| github.com/consensys/gnark-crypto | v0.5.0 | 0.12.0 | 间接依赖 | 可选修复 |
| github.com/consensys/gnark | v0.5.3-0.20211222234756-0c2d931d5e44 | 0.9.0 | 直接依赖 | 可选修复 |
| golang.org/x/sys | v0.0.0-20210420205809-ac73e9fd8988 | 0.1.0 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| BSD-3-Clause | 30 | 低 |
| MIT | 27 | 低 |
| MPL-2.0 | 15 | 低 |
| Apache-2.0 | 23 | 低 |
| ISC | 1 | 低 |
| LGPL-3.0 | 1 | 中 |
| GPL-3.0 | 1 | 中 |
| BSD-2-Clause | 3 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| github.com/golang/snappy | v0.0.3-0.20201103224600-674baa8c7fc3 | 间接依赖 | go |
| Microsoft.OData.Edm | 6.15.0 | 间接依赖 | nuget |
| Microsoft.IdentityModel.Clients.ActiveDirectory | 3.13.8 | 间接依赖 | nuget |
| github.com/go-playground/validator/v10 | v10.4.1 | 间接依赖 | go |
| github.com/hashicorp/go-retryablehttp | v0.6.2 | 间接依赖 | go |
| github.com/hashicorp/go-version | v1.1.0 | 间接依赖 | go |
| PrivateKey | 间接依赖 | pip | |
| github.com/kr/pretty | v0.2.0 | 间接依赖 | go |
| github.com/consensys/gnark-crypto | v0.5.4-0.20211222202820-aee0c136fb9f | 直接依赖 | go |
| golang.org/x/image | v0.0.0-20200430140353-33d19683fad8 | 间接依赖 | go |
| github.com/consensys/gnark | v0.4.0 | 直接依赖 | go |
| github.com/cncf/udpa/go | v0.0.0-20200327203949-e8cd3a4bb307 | 间接依赖 | go |
| golang.org/x/sync | v0.0.0-20201207232520-09787c993a3a | 间接依赖 | go |
| golang.org/x/mobile | v0.0.0-20200329125638-4c31acba0007 | 间接依赖 | go |
| google.golang.org/grpc | v1.22.0 | 间接依赖 | go |
| golang.org/x/sys | v0.0.0-20200501145240-bc7a7d42d5c3 | 间接依赖 | go |
| github.com/go-gl/glfw/v3.3/glfw | v0.0.0-20200420212212-258d9bec320e | 间接依赖 | go |
| github.com/btcsuite/btcd | v0.0.0-20171128150713-2e60448ffcc6 | 间接依赖 | go |
| Newtonsoft.Json | 9.0.1 | 间接依赖 | nuget |
| github.com/VictoriaMetrics/fastcache | v1.5.7 | 间接依赖 | go |
| github.com/ugorji/go | v1.2.2 | 间接依赖 | go |
| github.com/hashicorp/vault/sdk | v0.1.14-0.20200305172021-03a3749f220d | 间接依赖 | go |
| github.com/armon/go-radix | v0.0.0-20180808171621-7fddfc383310 | 间接依赖 | go |
| github.com/json-iterator/go | v1.1.10 | 间接依赖 | go |
| github.com/hashicorp/go-multierror | v1.0.0 | 间接依赖 | go |
| github.com/hashicorp/go-cleanhttp | v0.5.1 | 间接依赖 | go |
| github.com/rogpeppe/go-internal | v1.5.2 | 间接依赖 | go |
| github.com/gogo/protobuf | v1.2.0 | 间接依赖 | go |
| github.com/shirou/gopsutil | v2.20.5+incompatible | 间接依赖 | go |
| golang.org/x/time | v0.0.0-20200416051211-89c76fbcd5d1 | 间接依赖 | go |
| Microsoft.OData.Core | 6.15.0 | 间接依赖 | nuget |
| github.com/ryanuber/go-glob | v1.0.0 | 间接依赖 | go |
| github.com/yuin/goldmark | v1.1.30 | 间接依赖 | go |
| github.com/hashicorp/errwrap | v1.0.0 | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20190404172233-64821d5d2107 | 间接依赖 | go |
| github.com/nats-io/nats.go | v1.10.0 | 直接依赖 | go |
| github.com/aristanetworks/goarista | v0.0.0-20170210015632-ea17b1a17847 | 间接依赖 | go |
| github.com/BurntSushi/xgb | v0.0.0-20200324125942-20f126ea2843 | 间接依赖 | go |
| golang.org/x/net | v0.0.0-20210226172049-e18ecbb05110 | 间接依赖 | go |
| github.com/envoyproxy/go-control-plane | v0.9.5 | 间接依赖 | go |
| github.com/hashicorp/yamux | v0.0.0-20181012175058-2f1d1f20f75d | 间接依赖 | go |
| google.golang.org/protobuf | v1.23.0 | 间接依赖 | go |
| go.mongodb.org/mongo-driver | v1.4.4 | 直接依赖 | go |
| github.com/shopspring/decimal | v1.2.0 | 直接依赖 | go |
| golang.org/x/exp | v0.0.0-20200331195152-e8c3332aa8e5 | 间接依赖 | go |
| Microsoft.Spatial | 6.15.0 | 间接依赖 | nuget |
| github.com/GoogleCloudPlatform/functions-framework-go | v1.0.1 | 直接依赖 | go |
| golang.org/x/crypto | v0.0.0-20200429183012-4b2356b1ed79 | 间接依赖 | go |
| github.com/gin-gonic/gin | v1.6.3 | 直接依赖 | go |
| ts-log | 2.2.5 | 直接依赖 | npm |
| golang.org/x/oauth2 | v0.0.0-20200107190931-bf48bf16ab8d | 直接依赖 | go |
| github.com/stretchr/testify | v1.5.1 | 间接依赖 | go |
| github.com/hashicorp/go-rootcerts | v1.0.1 | 间接依赖 | go |
| github.com/stretchr/objx | v0.2.0 | 间接依赖 | go |
| github.com/hashicorp/go-uuid | v1.0.2-0.20191001231223-f32f5fe8d6a8 | 间接依赖 | go |
| github.com/kr/text | v0.2.0 | 间接依赖 | go |
| github.com/prometheus/tsdb | v0.6.2-0.20190402121629-4f204dcbc150 | 间接依赖 | go |
| github.com/hashicorp/go-sockaddr | v1.0.2 | 间接依赖 | go |
| github.com/nats-io/nats-server/v2 | v2.1.9 | 间接依赖 | go |
| github.com/olekukonko/tablewriter | v0.0.2-0.20190409134802-7e037d187b0c | 间接依赖 | go |
| github.com/ethereum/go-ethereum | v1.9.25 | 间接依赖 | go |
| github.com/leodido/go-urn | v1.2.1 | 间接依赖 | go |
| github.com/consensys/quorum | v2.7.0+incompatible | 间接依赖 | go |
| dmitri.shuralyov.com/gpu/mtl | v0.0.0-20191203043605-d42048ed14fd | 间接依赖 | go |
| github.com/go-chi/render | v1.0.1 | 直接依赖 | go |
| gopkg.in/yaml.v2 | v2.2.8 | 间接依赖 | go |
| github.com/hashicorp/go-hclog | v0.9.2 | 间接依赖 | go |
| github.com/steakknife/bloomfilter | v0.0.0-20180922174646-6819c0d2a570 | 间接依赖 | go |
| github.com/consensys/gnark | v0.5.3-0.20211222234756-0c2d931d5e44 | 直接依赖 | go |
| github.com/prometheus/client_golang | v0.9.3-0.20190127221311-3c4408c8b829 | 间接依赖 | go |
| github.com/ianlancetaylor/demangle | v0.0.0-20200414190113-039b1ae3a340 | 间接依赖 | go |
| golang.org/x/text | v0.3.3 | 间接依赖 | go |
| github.com/pkg/errors | v0.8.1 | 间接依赖 | go |
| github.com/hashicorp/go-immutable-radix | v1.0.0 | 间接依赖 | go |
| github.com/klauspost/compress | v1.11.4 | 间接依赖 | go |
| github.com/oklog/run | v1.0.0 | 间接依赖 | go |
| golang.org/x/tools | v0.0.0-20200505023115-26f46d2f7ef8 | 间接依赖 | go |
| github.com/pierrec/lz4 | v2.0.5+incompatible | 间接依赖 | go |
| github.com/pborman/uuid | v1.2.1 | 直接依赖 | go |
| golang.org/x/net | v0.0.0-20200505041828-1ed23360d12c | 直接依赖 | go |
| github.com/consensys/gnark-crypto | v0.5.0 | 间接依赖 | go |
| github.com/hashicorp/golang-lru | v0.5.4 | 间接依赖 | go |
| github.com/go-stack/stack | v1.8.0 | 间接依赖 | go |
| google.golang.org/api | v0.23.0 | 直接依赖 | go |
| github.com/syndtr/goleveldb | v1.0.1-0.20200815110645-5c35d600f0ca | 间接依赖 | go |
| github.com/aws/aws-sdk-go | v1.36.19 | 间接依赖 | go |
| github.com/mattn/go-runewidth | v0.0.4 | 间接依赖 | go |
| gopkg.in/check.v1 | v1.0.0-20200227125254-8fa46927fb4f | 间接依赖 | go |
| github.com/prometheus/client_model | v0.2.0 | 间接依赖 | go |
| github.com/google/pprof | v0.0.0-20200504201735-160c4290d1d8 | 间接依赖 | go |
| github.com/hashicorp/go-plugin | v1.0.1 | 间接依赖 | go |
| PublicKey | 间接依赖 | pip | |
| golang.org/x/sys | v0.0.0-20210420205809-ac73e9fd8988 | 间接依赖 | go |
| github.com/golang/protobuf | v1.4.1 | 间接依赖 | go |
| github.com/mitchellh/mapstructure | v1.1.2 | 间接依赖 | go |
| github.com/nats-io/jwt | v1.2.2 | 间接依赖 | go |
| github.com/mitchellh/go-testing-interface | v1.0.0 | 间接依赖 | go |
| github.com/golang/protobuf | v1.4.2 | 间接依赖 | go |
| mscoree.dll | 间接依赖 | ||
| rsc.io/sampler | v1.99.99 | 间接依赖 | go |
| cloud.google.com/go/storage | v1.7.0 | 间接依赖 | go |
| github.com/hashicorp/hcl | v1.0.0 | 间接依赖 | go |
| github.com/consensys/gnark-crypto | v0.4.1-0.20210428083642-6bd055b79906 | 直接依赖 | go |
| github.com/joho/godotenv | v1.3.0 | 直接依赖 | go |
| golang.org/x/crypto | v0.0.0-20210322153248-0c34fe9e7dc2 | 间接依赖 | go |
| github.com/hashicorp/vault/api | v1.0.5-0.20200117231345-460d63e36490 | 间接依赖 | go |
| zokrates_pycrypto | 间接依赖 | pip | |
| github.com/steakknife/hamming | v0.0.0-20180906055917-c99c65617cd3 | 间接依赖 | go |
| golang.org/x/time | v0.0.0-20190308202827-9d24e82272b4 | 间接依赖 | go |
| gopkg.in/square/go-jose.v2 | v2.3.1 | 间接依赖 | go |
| github.com/cespare/xxhash/v2 | v2.1.1 | 间接依赖 | go |
| Microsoft.OData.Client | 6.15.0 | 间接依赖 | nuget |