基础信息
项目名称:gabrielfalcao/lettuce
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1718021904848961536/1718021904987373568
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| lxml 跨站脚本漏洞 | XSS | MPS-2018-15340 | CVE-2018-19787 | 中危 |
| aaugustin websockets 安全漏洞 | 拒绝服务 | MPS-2018-8367 | CVE-2018-1000518 | 高危 |
| Lxml 跨站脚本漏洞 | XSS | MPS-2020-17664 | CVE-2020-27783 | 中危 |
| Lxml 跨站脚本漏洞 | XSS | MPS-2021-3272 | CVE-2021-28957 | 中危 |
| lxml 注入漏洞 | XSS | MPS-2021-36943 | CVE-2021-43818 | 高危 |
| lxml 存在路径遍历漏洞 | 路径遍历 | MPS-2022-14974 | 中危 | |
| Django Trunc和Extract方法存在 SQL 注入漏洞 | SQL注入 | MPS-2022-19581 | CVE-2022-34265 | 高危 |
| lxml 和 libxml2 代码问题漏洞 | 空指针取消引用 | MPS-2022-46661 | CVE-2022-2309 | 高危 |
| Tornado 输入验证错误漏洞 | 跨站重定向 | MPS-84aj-mebq | CVE-2023-28370 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| tornado | 4.3 | 6.3.2 | 间接依赖 | 建议修复 |
| Django | 2.1.15 | 3.2.20 | 间接依赖 | 建议修复 |
| lxml | 3.5.0 | 4.9.1 | 间接依赖 | 建议修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| 自定义许可证 | 13 | 低 |
| MIT | 7 | 低 |
| BSD-2-Clause | 1 | 低 |
| GPL-2.0 | 1 | 中 |
| Apache-2.0 | 3 | 低 |
| BSD-3-Clause | 3 | 低 |
| ZPL-2.1 | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| CreateError | 间接依赖 | pip | |
| File | 间接依赖 | pip | |
| OptionParser | 间接依赖 | pip | |
| lookup_field | 间接依赖 | pip | |
| Book | 间接依赖 | pip | |
| load_app | 间接依赖 | pip | |
| copy_helper | 间接依赖 | pip | |
| Sum | 间接依赖 | pip | |
| join | 间接依赖 | pip | |
| notice_h | 间接依赖 | pip | |
| HttpResponseServerError | 间接依赖 | pip | |
| build_suite | 间接依赖 | pip | |
| Literal | 间接依赖 | pip | |
| Sphinx | 1.1.3 | 间接依赖 | pip |
| backend | 间接依赖 | pip | |
| OGRException | 间接依赖 | pip | |
| constants | 间接依赖 | pip | |
| cssselect | 0.9.1 | 间接依赖 | pip |
| mysql | 间接依赖 | pip | |
| get_warnings_state | 间接依赖 | pip | |
| mod_python | 间接依赖 | pip | |
| forms | 间接依赖 | pip | |
| markment | 0.2.21 | 间接依赖 | pip |
| Paginator | 间接依赖 | pip | |
| SpatialFunction | 间接依赖 | pip | |
| SpatialReference | 间接依赖 | pip | |
| temp_storage | 间接依赖 | pip | |
| step | 间接依赖 | pip | |
| MultipleObjectsReturned | 间接依赖 | pip | |
| ungettext | 间接依赖 | pip | |
| router | 间接依赖 | pip | |
| c_char_p | 间接依赖 | pip | |
| api | 间接依赖 | pip | |
| TransactionTestCase | 间接依赖 | pip | |
| no_mysql | 间接依赖 | pip | |
| DataSource | 间接依赖 | pip | |
| AnonymousUser | 间接依赖 | pip | |
| ugettext | 间接依赖 | pip | |
| connection | 间接依赖 | pip | |
| City | 间接依赖 | pip | |
| date | 间接依赖 | pip | |
| parse_backend_uri | 间接依赖 | pip | |
| BrokenException | 间接依赖 | pip | |
| quote | 间接依赖 | pip | |
| REDIRECT_FIELD_NAME | 间接依赖 | pip | |
| RumBaba | 间接依赖 | pip | |
| Event | 间接依赖 | pip | |
| Extent3D | 间接依赖 | pip | |
| Envelope | 间接依赖 | pip | |
| LayerMapError | 间接依赖 | pip | |
| settings | 间接依赖 | pip | |
| lgeos | 间接依赖 | pip | |
| IfParser | 间接依赖 | pip | |
| PasswordResetForm | 间接依赖 | pip | |
| skipIfDBFeature | 间接依赖 | pip | |
| sha_constructor | 间接依赖 | pip | |
| DateField | 间接依赖 | pip | |
| Client | 间接依赖 | pip | |
| display_for_field | 间接依赖 | pip | |
| Pygments | 1.5 | 间接依赖 | pip |
| Node | 间接依赖 | pip | |
| Foo | 间接依赖 | pip | |
| Writer | 间接依赖 | pip | |
| GenericRelation | 间接依赖 | pip | |
| debug | 间接依赖 | pip | |
| SingleObjectTemplateResponseMixin | 间接依赖 | pip | |
| QueryDict | 间接依赖 | pip | |
| url | 间接依赖 | pip | |
| Count | 间接依赖 | pip | |
| CoordTransform | 间接依赖 | pip | |
| urlencode | 间接依赖 | pip | |
| fuzzywuzzy | 0.3.3 | 间接依赖 | pip |
| preview | 间接依赖 | pip | |
| PALETTES | 间接依赖 | pip | |
| restore_warnings_state | 间接依赖 | pip | |
| _imaging | 间接依赖 | pip | |
| GEOSGeometry | 间接依赖 | pip | |
| error_messages | 间接依赖 | pip | |
| lettuce | 间接依赖 | pip | |
| timeuntil | 间接依赖 | pip | |
| SESSION_KEY | 间接依赖 | pip | |
| PIPE | 间接依赖 | pip | |
| nose | 1.3.7 | 间接依赖 | pip |
| mox | 0.5.3 | 间接依赖 | pip |
| SpatialOperation | 间接依赖 | pip | |
| NoArgsCommand | 间接依赖 | pip | |
| MySQLdb | 间接依赖 | pip | |
| sure | 1.2.24 | 间接依赖 | pip |
| steadymark | 0.6.0 | 间接依赖 | pip |
| CustomPKModel | 间接依赖 | pip | |
| loader | 间接依赖 | pip | |
| User | 间接依赖 | pip | |
| BaseCommand | 间接依赖 | pip | |
| to_locale | 间接依赖 | pip | |
| CommandError | 间接依赖 | pip | |
| UrlArticle | 间接依赖 | pip | |
| Group | 间接依赖 | pip | |
| Country | 间接依赖 | pip | |
| HttpResponseRedirect | 间接依赖 | pip | |
| Person | 间接依赖 | pip | |
| AutoField | 间接依赖 | pip | |
| OGRGeomType | 间接依赖 | pip | |
| django | 间接依赖 | pip | |
| mock | 1.3.0 | 间接依赖 | pip |
| Category | 间接依赖 | pip | |
| StringIO | 间接依赖 | pip | |
| user_logged_in | 间接依赖 | pip | |
| OGRGeometry | 间接依赖 | pip | |
| ugettext_lazy | 间接依赖 | pip | |
| NO_DEFAULT | 间接依赖 | pip | |
| get_app | 间接依赖 | pip | |
| activate | 间接依赖 | pip | |
| patterns | 间接依赖 | pip | |
| c_char | 间接依赖 | pip | |
| Popen | 间接依赖 | pip | |
| Donut | 间接依赖 | pip | |
| Variable | 间接依赖 | pip | |
| Charset | 间接依赖 | pip | |
| cx_Oracle | 间接依赖 | pip | |
| SessionBase | 间接依赖 | pip | |
| BaseDetailView | 间接依赖 | pip | |
| regressiontests | 间接依赖 | pip | |
| tzinfo | 间接依赖 | pip | |
| lxml | 3.5.0 | 间接依赖 | pip |
| LayerMapping | 间接依赖 | pip | |
| TestCase | 间接依赖 | pip | |
| utils | 间接依赖 | pip | |
| transaction | 间接依赖 | pip | |
| Article | 间接依赖 | pip | |
| HttpResponse | 间接依赖 | pip | |
| ObjectDoesNotExist | 间接依赖 | pip | |
| Jinja2 | 2.10.1 | 间接依赖 | pip |
| md5_constructor | 间接依赖 | pip | |
| timedelta | 间接依赖 | pip | |
| Storage | 间接依赖 | pip | |
| urlsplit | 间接依赖 | pip | |
| smart_str | 间接依赖 | pip | |
| fromstr | 间接依赖 | pip | |
| modeltests | 间接依赖 | pip | |
| widgets | 间接依赖 | pip | |
| constant_time_compare | 间接依赖 | pip | |
| urlunparse | 间接依赖 | pip | |
| salted_hmac | 间接依赖 | pip | |
| splinter | 间接依赖 | pip | |
| Message | 间接依赖 | pip | |
| python-subunit | 1.2.0 | 间接依赖 | pip |
| user_logged_out | 间接依赖 | pip | |
| after | 间接依赖 | pip | |
| Bar | 间接依赖 | pip | |
| validators | 间接依赖 | pip | |
| Max | 间接依赖 | pip | |
| DateTimeField | 间接依赖 | pip | |
| SetPasswordForm | 间接依赖 | pip | |
| docutils | 0.9.1 | 间接依赖 | pip |
| template | 间接依赖 | pip | |
| testtools | 1.8.1 | 间接依赖 | pip |
| RequestContext | 间接依赖 | pip | |
| Author | 间接依赖 | pip | |
| deactivate | 间接依赖 | pip | |
| feedgenerator | 间接依赖 | pip | |
| sphinx | 间接依赖 | pip | |
| Context | 间接依赖 | pip | |
| BaseCookie | 间接依赖 | pip | |
| cache | 间接依赖 | pip | |
| coverage | 4.0.3 | 间接依赖 | pip |
| tox | 2.3.0 | 间接依赖 | pip |
| views | 间接依赖 | pip | |
| localflavor | 间接依赖 | pip | |
| exceptions | 间接依赖 | pip | |
| get_apps | 间接依赖 | pip | |
| wizard | 间接依赖 | pip | |
| cStringIO | 间接依赖 | pip | |
| before | 间接依赖 | pip | |
| app2 | 间接依赖 | pip | |
| Point | 间接依赖 | pip | |
| RequestFactory | 间接依赖 | pip | |
| ImproperlyConfigured | 间接依赖 | pip | |
| urlunsplit | 间接依赖 | pip | |
| admin_scripts | 间接依赖 | pip | |
| timesince | 间接依赖 | pip | |
| except_args | 间接依赖 | pip | |
| skipUnlessDBFeature | 间接依赖 | pip | |
| InvalidPage | 间接依赖 | pip | |
| check_for_language | 间接依赖 | pip | |
| byref | 间接依赖 | pip | |
| DatabaseError | 间接依赖 | pip | |
| SimpleCookie | 间接依赖 | pip | |
| UniqueTogetherModel | 间接依赖 | pip | |
| Image | 间接依赖 | pip | |
| query | 间接依赖 | pip | |
| Union | 间接依赖 | pip | |
| urlresolvers | 间接依赖 | pip | |
| GenericForeignKey | 间接依赖 | pip | |
| ContentFile | 间接依赖 | pip | |
| Encoders | 间接依赖 | pip | |
| force_unicode | 间接依赖 | pip | |
| BaseStorage | 间接依赖 | pip | |
| hotshot | 间接依赖 | pip | |
| Django | 2.1.15 | 间接依赖 | pip |
| FieldDoesNotExist | 间接依赖 | pip | |
| DjangoTestSuiteRunner | 间接依赖 | pip | |
| urlparse | 间接依赖 | pip | |
| connections | 间接依赖 | pip | |
| feeds | 间接依赖 | pip | |
| normcase | 间接依赖 | pip | |
| SuspiciousOperation | 间接依赖 | pip | |
| smart_unicode | 间接依赖 | pip | |
| get_language | 间接依赖 | pip | |
| parse_color_setting | 间接依赖 | pip | |
| Avg | 间接依赖 | pip | |
| default_storage | 间接依赖 | pip | |
| tornado | 4.3 | 间接依赖 | pip |