基础信息
项目名称:igniterealtime/Openfire
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1718779564306071552/1718779564348014592
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| 低危 | ||||
| Direct Web Remoting 跨站脚本漏洞 | XSS | MPS-2014-7184 | CVE-2014-5326 | 中危 |
| Ignite Realtime Openfire 路径遍历漏洞 | 路径遍历 | MPS-2019-13695 | CVE-2019-18393 | 中危 |
| Ignite Realtime Openfire 跨站脚本漏洞 | XSS | MPS-2020-15535 | CVE-2019-20364 | 中危 |
| Ignite Realtime Openfire 跨站脚本漏洞 | XSS | MPS-2020-15536 | CVE-2019-20365 | 中危 |
| JDOM 存在 XXE 注入漏洞 | XXE | MPS-2021-8350 | CVE-2021-33813 | 高危 |
| Eclipse Jetty URI注入漏洞 | 注入 | MPS-2022-18060 | CVE-2022-2047 | 低危 |
| Oracle MySQL Server存在未明漏洞 | MPS-2022-68556 | CVE-2023-21971 | 中危 | |
| Hot Rod 安全漏洞 | 证书验证不恰当 | MPS-b7oj-adm3 | CVE-2023-4586 | 高危 |
| Bouncy Castle 信任管理问题漏洞 | 证书验证不恰当 | MPS-i6w7-d48e | CVE-2023-33201 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| com.mysql:mysql-connector-j | 8.0.32 | 8.0.33 | 直接依赖 | 建议修复 |
| org.eclipse.jetty:jetty-http | 10.0.17 | 11.0.16 | 间接依赖 | 可选修复 |
| org.jdom:jdom2 | 2.0.6 | 2.0.6.1 | 间接依赖 | 可选修复 |
| org.igniterealtime.openfire:xmppserver | 4.8.0-SNAPSHOT | 直接依赖 | 可选修复 | |
| io.netty:netty-handler | 4.1.100.Final | 间接依赖 | 可选修复 | |
| org.dom4j:dom4j | 2.1.3 | 直接依赖 | 可选修复 | |
| org.bouncycastle:bcprov-jdk15on | 1.70 | 直接依赖 | 可选修复 | |
| org.directwebremoting:dwr | 3.0.2-RELEASE | 3.0.rc3 | 直接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 67 | 低 |
| EPL-2.0 | 23 | 低 |
| GPLv2+ | 1 | 中 |
| BSD | 1 | 低 |
| CDDL-1.1 | 1 | 低 |
| 自定义许可证 | 25 | 低 |
| MIT | 4 | 低 |
| JSON | 1 | 低 |
| LGPL-2.1-or-later | 1 | 低 |
| BSD-3-Clause | 3 | 低 |
| BSD-2-Clause | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| com.rometools:rome-utils | 1.15.0 | 间接依赖 | maven |
| org.eclipse.jetty:jetty-server | 10.0.17 | 直接依赖 | maven |
| pam | 间接依赖 | ||
| libc.so.6 | 间接依赖 | ||
| io.netty:netty-transport-native-unix-common | 4.1.100.Final | 间接依赖 | maven |
| org.apache.taglibs:taglibs-standard-impl | 1.2.5 | 直接依赖 | maven |
| io.netty:netty-handler-proxy | 4.1.100.Final | 间接依赖 | maven |
| io.netty:netty-transport-udt | 4.1.100.Final | 间接依赖 | maven |
| javax.xml.bind:jaxb-api | 2.3.1 | 直接依赖 | maven |
| org.apache.commons:commons-pool2 | 2.9.0 | 直接依赖 | maven |
| com.google.guava:guava | 32.0.1-jre | 直接依赖 | maven |
| org.glassfish.jaxb:txw2 | 2.3.3 | 间接依赖 | maven |
| org.igniterealtime.openfire:xmppserver | 4.8.0-SNAPSHOT | 直接依赖 | maven |
| io.netty:netty-transport-native-epoll | 4.1.100.Final | 间接依赖 | maven |
| libdl.so.2 | 间接依赖 | ||
| org.bouncycastle:bcprov-jdk15on | 1.70 | 直接依赖 | maven |
| com.github.jgonian:commons-ip-math | 1.32 | 直接依赖 | maven |
| /usr/lib/libpam.1.dylib | 间接依赖 | ||
| org.apache.logging.log4j:log4j-core | 2.20.0 | 直接依赖 | maven |
| org.eclipse.jetty:jetty-jmx | 10.0.17 | 直接依赖 | maven |
| org.apache.httpcomponents:httpclient | 4.5.13 | 直接依赖 | maven |
| org.apache.commons:commons-dbcp2 | 2.9.0 | 直接依赖 | maven |
| net.jcip:jcip-annotations | 1.0 | 间接依赖 | maven |
| org.eclipse.jetty.toolchain:jetty-servlet-api | 4.0.6 | 间接依赖 | maven |
| com.google.code.findbugs:jsr305 | 3.0.2 | 间接依赖 | maven |
| io.netty:netty-common | 4.1.100.Final | 间接依赖 | maven |
| org.slf4j:jcl-over-slf4j | 2.0.9 | 直接依赖 | maven |
| org.eclipse.jetty.websocket:websocket-core-common | 10.0.17 | 间接依赖 | maven |
| org.json:json | 20231013 | 直接依赖 | maven |
| org.apache.logging.log4j:log4j-api | 2.20.0 | 直接依赖 | maven |
| jmdns:jmdns | 1.0 | 直接依赖 | maven |
| org.eclipse.jetty:jetty-annotations | 10.0.17 | 直接依赖 | maven |
| io.netty:netty-transport-sctp | 4.1.100.Final | 间接依赖 | maven |
| com.sun.mail:javax.mail | 1.6.2 | 直接依赖 | maven |
| io.netty:netty-transport-rxtx | 4.1.100.Final | 间接依赖 | maven |
| io.netty:netty-resolver-dns | 4.1.100.Final | 间接依赖 | maven |
| jakarta.annotation:jakarta.annotation-api | 1.3.5 | 间接依赖 | maven |
| io.netty:netty-codec-dns | 4.1.100.Final | 间接依赖 | maven |
| com.google.guava:listenablefuture | 9999.0-empty-to-avoid-conflict-with-guava | 间接依赖 | maven |
| org.eclipse.jetty:jetty-xml | 10.0.17 | 间接依赖 | maven |
| org.eclipse.jetty:jetty-jndi | 10.0.17 | 间接依赖 | maven |
| /System/Library/Frameworks/JavaVM.framework/Versions/A/JavaVM | 间接依赖 | ||
| io.netty:netty-transport-native-kqueue | 4.1.100.Final | 间接依赖 | maven |
| org.apache.commons:commons-lang3 | 3.9 | 直接依赖 | maven |
| io.netty:netty-codec-smtp | 4.1.100.Final | 间接依赖 | maven |
| net.sourceforge.jtds:jtds | 1.3.1 | 直接依赖 | maven |
| com.google.errorprone:error_prone_annotations | 2.18.0 | 间接依赖 | maven |
| org.eclipse.jetty.websocket:websocket-jetty-api | 10.0.17 | 间接依赖 | maven |
| commons-io:commons-io | 2.11.0 | 间接依赖 | maven |
| com.google.guava:failureaccess | 1.0.1 | 间接依赖 | maven |
| /usr/lib/libSystem.B.dylib | 间接依赖 | ||
| io.netty:netty-transport-classes-kqueue | 4.1.100.Final | 间接依赖 | maven |
| org.eclipse.jetty:apache-jsp | 10.0.17 | 直接依赖 | maven |
| commons-codec:commons-codec | 1.15 | 直接依赖 | maven |
| org.eclipse.jetty.toolchain:jetty-schemas | 4.0.3 | 间接依赖 | maven |
| com.rometools:rome | 1.15.0 | 直接依赖 | maven |
| org.eclipse.jetty:jetty-plus | 10.0.17 | 直接依赖 | maven |
| com.twelvemonkeys.common:common-image | 3.9.4 | 间接依赖 | maven |
| io.netty:netty-resolver-dns-classes-macos | 4.1.100.Final | 间接依赖 | maven |
| org.gnu.inet:libidn | 1.35 | 间接依赖 | maven |
| org.eclipse.jetty:jetty-webapp | 10.0.17 | 直接依赖 | maven |
| org.eclipse.jetty:jetty-util | 10.0.17 | 间接依赖 | maven |
| jakarta.xml.bind:jakarta.xml.bind-api | 2.3.3 | 间接依赖 | maven |
| io.netty:netty-all | 4.1.100.Final | 直接依赖 | maven |
| org.glassfish.jaxb:jaxb-runtime | 2.3.3 | 直接依赖 | maven |
| org.apache.taglibs:taglibs-standard-spec | 1.2.5 | 直接依赖 | maven |
| io.netty:netty-transport-classes-epoll | 4.1.100.Final | 间接依赖 | maven |
| com.mysql:mysql-connector-j | 8.0.32 | 直接依赖 | maven |
| org.eclipse.jetty.websocket:websocket-core-server | 10.0.17 | 间接依赖 | maven |
| org.fusesource.jansi:jansi | 1.18 | 直接依赖 | maven |
| org.ow2.asm:asm-commons | 9.6 | 间接依赖 | maven |
| jaxen:jaxen | 1.2.0 | 直接依赖 | maven |
| org.eclipse.jetty:jetty-servlets | 10.0.17 | 直接依赖 | maven |
| jakarta.transaction:jakarta.transaction-api | 1.3.3 | 间接依赖 | maven |
| org.apache.logging.log4j:log4j-slf4j2-impl | 2.20.0 | 直接依赖 | maven |
| io.netty:netty-codec-memcache | 4.1.100.Final | 间接依赖 | maven |
| org.checkerframework:checker-qual | 3.31.0 | 间接依赖 | maven |
| org.directwebremoting:dwr | 3.0.2-RELEASE | 直接依赖 | maven |
| io.netty:netty-codec-socks | 4.1.100.Final | 间接依赖 | maven |
| org.mortbay.jasper:apache-jsp | 9.0.52 | 间接依赖 | maven |
| org.eclipse.jetty.websocket:websocket-jetty-common | 10.0.17 | 间接依赖 | maven |
| io.netty:netty-handler-ssl-ocsp | 4.1.100.Final | 间接依赖 | maven |
| org.slf4j:slf4j-api | 2.0.9 | 直接依赖 | maven |
| com.twelvemonkeys.common:common-lang | 3.9.4 | 间接依赖 | maven |
| javax.activation:activation | 1.1 | 间接依赖 | maven |
| io.netty:netty-handler | 4.1.100.Final | 间接依赖 | maven |
| org.mortbay.jasper:apache-el | 9.0.52 | 间接依赖 | maven |
| org.eclipse.jetty:jetty-io | 10.0.17 | 间接依赖 | maven |
| KERNEL32.dll | 间接依赖 | ||
| com.jcraft:jzlib | 1.1.3 | 直接依赖 | maven |
| opensymphony:sitemesh | 2.4.2 | 直接依赖 | maven |
| io.netty:netty-codec-haproxy | 4.1.100.Final | 间接依赖 | maven |
| org.apache.httpcomponents:httpcore | 4.4.13 | 间接依赖 | maven |
| com.microsoft.sqlserver:mssql-jdbc | 9.4.1.jre11 | 直接依赖 | maven |
| commons-fileupload:commons-fileupload | 1.5 | 直接依赖 | maven |
| io.netty:netty-codec-stomp | 4.1.100.Final | 间接依赖 | maven |
| org.eclipse.jdt:ecj | 3.26.0 | 间接依赖 | maven |
| org.bouncycastle:bcpkix-jdk15on | 1.70 | 直接依赖 | maven |
| io.netty:netty-resolver | 4.1.100.Final | 间接依赖 | maven |
| io.netty:netty-buffer | 4.1.100.Final | 间接依赖 | maven |
| org.ow2.asm:asm | 9.6 | 间接依赖 | maven |
| io.netty:netty-codec-xml | 4.1.100.Final | 间接依赖 | maven |
| xpp3:xpp3 | 1.1.4c | 直接依赖 | maven |
| io.netty:netty-transport | 4.1.100.Final | 间接依赖 | maven |
| org.postgresql:postgresql | 42.6.0 | 直接依赖 | maven |
| com.twelvemonkeys.imageio:imageio-core | 3.9.4 | 间接依赖 | maven |
| org.eclipse.jetty.websocket:websocket-jetty-server | 10.0.17 | 直接依赖 | maven |
| org.apache.commons:commons-text | 1.10.0 | 直接依赖 | maven |
| org.eclipse.jetty:jetty-http | 10.0.17 | 间接依赖 | maven |
| io.netty:netty-codec-mqtt | 4.1.100.Final | 间接依赖 | maven |
| io.netty:netty-resolver-dns-native-macos | 4.1.100.Final | 间接依赖 | maven |
| org.bouncycastle:bcutil-jdk15on | 1.70 | 间接依赖 | maven |
| org.hsqldb:hsqldb | 2.7.1 | 直接依赖 | maven |
| org.jsmpp:jsmpp | 2.3.10 | 直接依赖 | maven |
| org.jdom:jdom2 | 2.0.6 | 间接依赖 | maven |
| org.bouncycastle:bcpg-jdk15on | 1.70 | 直接依赖 | maven |
| org.igniterealtime:tinder | 2.0.0 | 直接依赖 | maven |
| org.igniterealtime.openfire:i18n | 4.8.0-SNAPSHOT | 直接依赖 | maven |
| com.github.ben-manes.caffeine:caffeine | 2.7.0 | 间接依赖 | maven |
| io.netty:netty-codec | 4.1.100.Final | 间接依赖 | maven |
| org.dom4j:dom4j | 2.1.3 | 直接依赖 | maven |
| commons-logging:commons-logging | 1.2 | 间接依赖 | maven |
| io.netty:netty-codec-http | 4.1.100.Final | 间接依赖 | maven |
| com.sun.activation:jakarta.activation | 1.2.2 | 间接依赖 | maven |
| io.netty:netty-codec-redis | 4.1.100.Final | 间接依赖 | maven |
| com.twelvemonkeys.common:common-io | 3.9.4 | 间接依赖 | maven |
| io.netty:netty-codec-http2 | 4.1.100.Final | 间接依赖 | maven |
| javax.activation:javax.activation-api | 1.2.0 | 间接依赖 | maven |
| com.sun.istack:istack-commons-runtime | 3.0.11 | 间接依赖 | maven |
| com.twelvemonkeys.imageio:imageio-bmp | 3.9.4 | 直接依赖 | maven |
| NETAPI32.dll | 间接依赖 | ||
| org.eclipse.jetty.websocket:websocket-servlet | 10.0.17 | 间接依赖 | maven |
| com.google.j2objc:j2objc-annotations | 2.8 | 间接依赖 | maven |
| org.ow2.asm:asm-tree | 9.6 | 间接依赖 | maven |
| org.eclipse.jetty:jetty-servlet | 10.0.17 | 间接依赖 | maven |
| com.cenqua.shaj:shaj | 0.5 | 直接依赖 | maven |
| org.eclipse.jetty:jetty-security | 10.0.17 | 间接依赖 | maven |