基础信息
项目名称:devlive-community/authx
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1718165365728264192/1718165365807955968
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Spring Framework | 反序列化 | MPS-2020-0057 | CVE-2016-1000027 | 严重 |
| Spring Framework | 日志输出的转义处理不恰当 | MPS-2021-18854 | CVE-2021-22060 | 中危 |
| Pivotal Spring Framework 日志注入漏洞 | 日志输出的转义处理不恰当 | MPS-2021-18890 | CVE-2021-22096 | 中危 |
| Apache Commons IO 存在路径遍历漏洞 | 路径遍历 | MPS-2021-4531 | CVE-2021-29425 | 中危 |
| Bouncy Castle 私钥信息泄露漏洞 | 竞争条件 | MPS-2021-7064 | CVE-2020-15522 | 中危 |
| Pivotal Spring Framework 安全限制绕过漏洞 | 大小写敏感处理不恰当 | MPS-2022-1098 | CVE-2022-22968 | 中危 |
| Spring Framework spring-beans 存在拒绝服务漏洞 | 不加限制或调节的资源分配 | MPS-2022-1101 | CVE-2022-22970 | 中危 |
| com.google.code.gson:gson 存在BigDecimal拒绝服务漏洞 | 反序列化 | MPS-2022-12287 | CVE-2022-25647 | 高危 |
| spring-security-oauth2-client 权限提升漏洞 | 权限管理不当 | MPS-2022-12720 | CVE-2022-31690 | 高危 |
| Spring Security 绕过授权漏洞 | 权限、特权和访问控制 | MPS-2022-12722 | CVE-2022-31692 | 高危 |
| snakeYAML | 拒绝服务 | MPS-2022-5144 | CVE-2022-25857 | 高危 |
| Bouncy Castle | 密码学问题 | MPS-2022-54305 | 中危 | |
| snakeYAML | 栈缓冲区溢出 | MPS-2022-56040 | CVE-2022-38751 | 中危 |
| snakeYAML | 栈缓冲区溢出 | MPS-2022-56041 | CVE-2022-38752 | 低危 |
| snakeYAML | 栈缓冲区溢出 | MPS-2022-56051 | CVE-2022-38750 | 中危 |
| snakeYAML | 拒绝服务 | MPS-2022-56081 | CVE-2022-38749 | 中危 |
| protobuf-java 存在输入验证不当漏洞 | 拒绝服务 | MPS-2022-56472 | CVE-2022-3171 | 中危 |
| SnakeYAML | 栈缓冲区溢出 | MPS-2022-58478 | CVE-2022-41854 | 中危 |
| IBM WebSphere Application Server Liberty 存在拒绝服务漏洞 | 对因果或异常条件的不恰当检查 | MPS-2022-59813 | CVE-2022-3509 | 中危 |
| Google protobuf 安全漏洞 | 拒绝服务 | MPS-2022-59814 | CVE-2022-3510 | 高危 |
| Spring Security通配符路由绕过漏洞 | 关键资源权限分配不当 | MPS-2022-62832 | CVE-2023-20860 | 高危 |
| Spring 处理 SpEL 存在拒绝服务漏洞 | 拒绝服务 | MPS-2022-62833 | CVE-2023-20861 | 中危 |
| Spring Security Logout实现不当 | 会话固定 | MPS-2022-62834 | CVE-2023-20862 | 中危 |
| Spring Expression 存在拒绝服务漏洞 | 拒绝服务 | MPS-2022-62835 | CVE-2023-20863 | 高危 |
| Spring Boot 欢迎页功能拒绝服务风险 | 拒绝服务 | MPS-2022-62855 | CVE-2023-20883 | 高危 |
| spring-beans 远程代码执行漏洞(Spring4Shell) | 表达式语言注入 | MPS-2022-6820 | CVE-2022-22965 | 严重 |
| snakeYAML | 反序列化 | MPS-2022-9425 | CVE-2022-1471 | 高危 |
| netplex json-smart 安全漏洞 | 未经控制的递归 | MPS-2023-7760 | CVE-2023-1370 | 高危 |
| Apache Tomcat http请求走私漏洞 | 输入验证不恰当 | MPS-b5of-dwyh | CVE-2023-45648 | 中危 |
| Apache Tomcat 安全漏洞 | 清理环节不完整 | MPS-hz9y-jtfe | CVE-2023-42795 | 中危 |
| Bouncy Castle 信任管理问题漏洞 | 证书验证不恰当 | MPS-i6w7-d48e | CVE-2023-33201 | 中危 |
| Spring Security 路径匹配漏洞 | 不恰当实现的标准安全检查 | MPS-j3nx-691g | CVE-2023-34034 | 严重 |
| JSON-Java 安全漏洞 | 不加限制或调节的资源分配 | MPS-m4ex-dja2 | CVE-2023-5072 | 高危 |
| Apache Tomcat FORM 重定向漏洞 | 跨站重定向 | MPS-uy56-j8e4 | CVE-2023-41080 | 低危 |
| 【存在争议】FasterXML jackson-databind 代码问题漏洞 | 不加限制或调节的资源分配 | MPS-z1bx-p8y2 | CVE-2023-35116 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| org.yaml:snakeyaml | 1.30 | 2.0 | 间接依赖 | 建议修复 |
| org.springframework:spring-context | 4.3.30.RELEASE | 5.2.21.RELEASE | 间接依赖 | 建议修复 |
| org.apache.tomcat.embed:tomcat-embed-core | 9.0.65 | 9.0.81 | 间接依赖 | 建议修复 |
| net.minidev:json-smart | 2.4.8 | 2.4.9 | 间接依赖 | 建议修复 |
| org.springframework:spring-web | 5.3.22 | 6.0.0 | 间接依赖 | 建议修复 |
| org.springframework:spring-webmvc | 5.3.23 | 5.3.26 | 间接依赖 | 建议修复 |
| com.fasterxml.jackson.core:jackson-databind | 2.14.2 | 直接依赖 | 建议修复 | |
| org.springframework.security:spring-security-oauth2-client | 5.7.3 | 5.7.5 | 间接依赖 | 建议修复 |
| org.springframework.security:spring-security-web | 5.7.3 | 5.7.10 | 间接依赖 | 建议修复 |
| org.springframework:spring-web | 5.3.23 | 6.0.0 | 间接依赖 | 建议修复 |
| org.springframework:spring-beans | 4.3.30.RELEASE | 5.2.22.RELEASE | 间接依赖 | 建议修复 |
| com.google.protobuf:protobuf-java | 3.19.4 | 3.19.6 | 间接依赖 | 可选修复 |
| org.springframework.boot:spring-boot-autoconfigure | 2.7.4 | 2.7.12 | 间接依赖 | 可选修复 |
| org.springframework:spring-core | 4.3.30.RELEASE | 5.2.23.RELEASE | 间接依赖 | 可选修复 |
| org.springframework:spring-core | 5.3.23 | 5.3.26 | 间接依赖 | 可选修复 |
| commons-io:commons-io | 2.6 | 2.7 | 直接依赖 | 可选修复 |
| org.springframework:spring-expression | 5.3.22 | 5.3.27 | 间接依赖 | 可选修复 |
| org.bouncycastle:bcprov-jdk15on | 1.64 | 间接依赖 | 可选修复 | |
| org.springframework:spring-expression | 5.3.23 | 5.3.27 | 间接依赖 | 可选修复 |
| com.google.code.gson:gson | 2.8.0 | 2.8.9 | 直接依赖 | 可选修复 |
| org.json:json | 20190722 | 20231013 | 直接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 77 | 低 |
| EPL-2.0 | 4 | 低 |
| 自定义许可证 | 9 | 低 |
| BSD-3-Clause | 2 | 低 |
| MIT | 3 | 低 |
| EPL-1.0 | 2 | 低 |
| LGPL-2.1-or-later | 2 | 低 |
| CDDL-1.1 | 1 | 低 |
| JSON | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| org.springframework:spring-jcl | 5.3.23 | 间接依赖 | maven |
| org.jboss:jandex | 2.4.2.Final | 间接依赖 | maven |
| org.devlive.authx:authx-service | 1.7.0-SNAPSHOT | 直接依赖 | maven |
| com.nimbusds:content-type | 2.2 | 间接依赖 | maven |
| jakarta.persistence:jakarta.persistence-api | 2.2.3 | 间接依赖 | maven |
| org.springframework.data:spring-data-jpa | 2.7.3 | 间接依赖 | maven |
| mkdocs-static-i18n | 0.43 | 间接依赖 | pip |
| org.ow2.asm:asm | 9.1 | 间接依赖 | maven |
| org.springframework.security:spring-security-crypto | 5.7.3 | 间接依赖 | maven |
| com.nimbusds:nimbus-jose-jwt | 9.22 | 间接依赖 | maven |
| org.projectlombok:lombok | 1.18.24 | 直接依赖 | maven |
| org.springframework.security:spring-security-core | 5.7.3 | 间接依赖 | maven |
| org.springframework.security:spring-security-oauth2-jose | 5.7.3 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-aop | 2.7.4 | 直接依赖 | maven |
| org.apache.tomcat.embed:tomcat-embed-core | 9.0.65 | 间接依赖 | maven |
| org.springframework:spring-context | 4.3.30.RELEASE | 间接依赖 | maven |
| org.hibernate.validator:hibernate-validator | 6.2.5.Final | 间接依赖 | maven |
| org.bouncycastle:bcpkix-jdk15on | 1.64 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-json | 2.7.4 | 间接依赖 | maven |
| commons-codec:commons-codec | 1.14 | 间接依赖 | maven |
| org.springframework:spring-core | 4.3.30.RELEASE | 间接依赖 | maven |
| org.springframework.boot:spring-boot | 2.7.4 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-autoconfigure | 2.7.4 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-validation | 2.7.4 | 直接依赖 | maven |
| org.devlive.authx:authx-security | 1.7.0-SNAPSHOT | 直接依赖 | maven |
| org.springframework:spring-beans | 5.3.23 | 间接依赖 | maven |
| ch.qos.logback:logback-core | 1.2.11 | 间接依赖 | maven |
| org.jboss.logging:jboss-logging | 3.4.3.Final | 间接依赖 | maven |
| org.apache.tomcat.embed:tomcat-embed-el | 9.0.65 | 间接依赖 | maven |
| org.springframework.security:spring-security-jwt | 1.1.1.RELEASE | 直接依赖 | maven |
| org.jvnet.staxex:stax-ex | 1.8 | 间接依赖 | maven |
| com.fasterxml.jackson.datatype:jackson-datatype-jsr310 | 2.13.4 | 间接依赖 | maven |
| commons-io:commons-io | 2.6 | 直接依赖 | maven |
| antlr:antlr | 2.7.7 | 间接依赖 | maven |
| org.apache.logging.log4j:log4j-api | 2.17.2 | 间接依赖 | maven |
| com.google.collections:google-collections | 1.0 | 直接依赖 | maven |
| org.springframework.boot:spring-boot-starter-web | 2.7.4 | 直接依赖 | maven |
| com.zaxxer:HikariCP | 4.0.3 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-tomcat | 2.7.4 | 间接依赖 | maven |
| net.bytebuddy:byte-buddy | 1.12.9 | 间接依赖 | maven |
| org.springframework.security:spring-security-oauth2-core | 5.7.3 | 间接依赖 | maven |
| org.hibernate.common:hibernate-commons-annotations | 5.1.2.Final | 间接依赖 | maven |
| ch.qos.logback:logback-classic | 1.2.11 | 间接依赖 | maven |
| commons-logging:commons-logging | 1.2 | 间接依赖 | maven |
| com.fasterxml.jackson.datatype:jackson-datatype-jdk8 | 2.13.4 | 间接依赖 | maven |
| org.springframework:spring-aop | 5.3.23 | 间接依赖 | maven |
| org.springframework:spring-expression | 5.3.23 | 间接依赖 | maven |
| org.devlive.authx:authx-validation | 1.7.0-SNAPSHOT | 直接依赖 | maven |
| com.fasterxml:classmate | 1.5.1 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-data-jpa | 2.7.4 | 直接依赖 | maven |
| com.sun.istack:istack-commons-runtime | 3.0.7 | 间接依赖 | maven |
| org.springframework:spring-context | 5.3.23 | 间接依赖 | maven |
| org.springframework:spring-aspects | 5.3.23 | 间接依赖 | maven |
| org.springframework.security:spring-security-config | 5.7.3 | 间接依赖 | maven |
| org.jboss.logging:jboss-logging | 3.4.1.Final | 间接依赖 | maven |
| com.github.stephenc.jcip:jcip-annotations | 1.0-1 | 间接依赖 | maven |
| mysql:mysql-connector-java | 8.0.29 | 直接依赖 | maven |
| org.devlive.authx:authx-common | 1.7.0-SNAPSHOT | 直接依赖 | maven |
| org.springframework:spring-web | 5.3.22 | 间接依赖 | maven |
| org.springframework:spring-orm | 5.3.23 | 间接依赖 | maven |
| org.json:json | 20190722 | 直接依赖 | maven |
| com.fasterxml.jackson.core:jackson-annotations | 2.14.2 | 间接依赖 | maven |
| com.belerweb:pinyin4j | 2.5.0 | 直接依赖 | maven |
| org.yaml:snakeyaml | 1.30 | 间接依赖 | maven |
| org.devlive.authx:authx-param | 1.7.0-SNAPSHOT | 直接依赖 | maven |
| org.springframework:spring-expression | 5.3.22 | 间接依赖 | maven |
| org.bouncycastle:bcprov-jdk15on | 1.64 | 间接依赖 | maven |
| org.glassfish.jaxb:txw2 | 2.3.1 | 间接依赖 | maven |
| com.nimbusds:lang-tag | 1.6 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-oauth2-client | 2.7.4 | 直接依赖 | maven |
| org.slf4j:jul-to-slf4j | 1.7.36 | 间接依赖 | maven |
| org.springframework.security:spring-security-web | 5.7.3 | 间接依赖 | maven |
| org.springframework:spring-beans | 4.3.30.RELEASE | 间接依赖 | maven |
| org.springframework.data:spring-data-commons | 2.7.3 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-security | 2.7.4 | 直接依赖 | maven |
| org.springframework.boot:spring-boot-starter | 2.7.4 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-databind | 2.14.2 | 直接依赖 | maven |
| jakarta.validation:jakarta.validation-api | 2.0.2 | 间接依赖 | maven |
| net.minidev:accessors-smart | 2.4.8 | 间接依赖 | maven |
| org.hibernate:hibernate-core | 5.6.11.Final | 间接依赖 | maven |
| com.fasterxml.jackson.module:jackson-module-parameter-names | 2.13.4 | 间接依赖 | maven |
| org.springframework.security.oauth:spring-security-oauth2 | 2.5.2.RELEASE | 直接依赖 | maven |
| commons-collections:commons-collections | 3.2.2 | 直接依赖 | maven |
| com.google.protobuf:protobuf-java | 3.19.4 | 间接依赖 | maven |
| org.springframework:spring-tx | 5.3.23 | 间接依赖 | maven |
| com.sun.xml.fastinfoset:FastInfoset | 1.2.15 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-core | 2.14.2 | 间接依赖 | maven |
| org.springframework:spring-jdbc | 5.3.23 | 间接依赖 | maven |
| org.aspectj:aspectjweaver | 1.9.7 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-logging | 2.7.4 | 间接依赖 | maven |
| jakarta.annotation:jakarta.annotation-api | 1.3.5 | 间接依赖 | maven |
| org.springframework:spring-core | 5.3.23 | 间接依赖 | maven |
| org.apache.tomcat.embed:tomcat-embed-websocket | 9.0.65 | 间接依赖 | maven |
| org.springframework.security:spring-security-oauth2-client | 5.7.3 | 间接依赖 | maven |
| org.apache.logging.log4j:log4j-to-slf4j | 2.17.2 | 间接依赖 | maven |
| org.springframework:spring-webmvc | 5.3.23 | 间接依赖 | maven |
| org.slf4j:slf4j-api | 1.7.32 | 间接依赖 | maven |
| net.minidev:json-smart | 2.4.8 | 间接依赖 | maven |
| org.springframework:spring-webmvc | 4.3.30.RELEASE | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-jdbc | 2.7.4 | 间接依赖 | maven |
| org.springframework:spring-web | 5.3.23 | 间接依赖 | maven |
| org.apache.commons:commons-lang3 | 3.6 | 直接依赖 | maven |
| jakarta.transaction:jakarta.transaction-api | 1.3.3 | 间接依赖 | maven |
| org.glassfish.jaxb:jaxb-runtime | 2.3.1 | 间接依赖 | maven |
| com.google.code.gson:gson | 2.8.0 | 直接依赖 | maven |
| com.nimbusds:oauth2-oidc-sdk | 9.35 | 间接依赖 | maven |