基础信息
项目名称:jupyterhub/binderhub
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1719328017666064384/1719328017884168192
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Python 加密问题漏洞 | 密码算法不安全 | MPS-2022-8618 | CVE-2022-29217 | 高危 |
| PyPI仓库charset-normalizer组件包内嵌恶意代码 | 内嵌恶意代码 | MPS-67h0-j1fr | 高危 | |
| Tornado 输入验证错误漏洞 | 跨站重定向 | MPS-84aj-mebq | CVE-2023-28370 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| charset-normalizer | 3.3.0 | 间接依赖 | 强烈建议修复 | |
| pyjwt | 2 | 2.4.0 | 间接依赖 | 建议修复 |
| tornado | 5.1 | 6.3.2 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 15 | 低 |
| 自定义许可证 | 16 | 低 |
| MIT | 14 | 低 |
| BSD-2-Clause | 2 | 低 |
| Apache-2.0 OR BSD-3-Clause | 1 | 低 |
| ISC | 2 | 低 |
| BSD-3-Clause | 2 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| requests | 2.31.0 | 间接依赖 | pip |
| _generate_build_name | 间接依赖 | pip | |
| pyopenssl | 23.2.0 | 间接依赖 | pip |
| docker | 6.1.3 | 间接依赖 | pip |
| pycurl | 7.45.2 | 间接依赖 | pip |
| oauthlib | 3.2.2 | 间接依赖 | pip |
| google-cloud-audit-log | 0.2.5 | 间接依赖 | pip |
| charset-normalizer | 3.3.0 | 间接依赖 | pip |
| urllib3 | 2.0.7 | 间接依赖 | pip |
| pyasn1 | 0.5.0 | 间接依赖 | pip |
| pyyaml | 6.0.1 | 间接依赖 | pip |
| jsonschema | 4.19.1 | 间接依赖 | pip |
| jupyter-telemetry | 0.1.0 | 间接依赖 | pip |
| chartpress | 2.1 | 间接依赖 | pip |
| rpds-py | 0.10.3 | 间接依赖 | pip |
| cachetools | 5.3.1 | 间接依赖 | pip |
| rsa | 4.9 | 间接依赖 | pip |
| pyjwt | 2 | 间接依赖 | pip |
| proto-plus | 1.22.3 | 间接依赖 | pip |
| referencing | 0.30.2 | 间接依赖 | pip |
| python-dateutil | 2.8.2 | 间接依赖 | pip |
| mako | 1.2.4 | 间接依赖 | pip |
| kubernetes | 9.0.1 | 间接依赖 | pip |
| jinja2 | 3.1.2 | 间接依赖 | pip |
| tornado | 5.1 | 间接依赖 | pip |
| websocket-client | 1.6.3 | 间接依赖 | pip |
| _get_image_basename_and_tag | 间接依赖 | pip | |
| async-generator | 1.10 | 间接依赖 | pip |
| npm_builder | 间接依赖 | pip | |
| cryptography | 41.0.4 | 间接依赖 | pip |
| packaging | 23.2 | 间接依赖 | pip |
| ruamel-yaml | 0.17.33 | 间接依赖 | pip |
| typing-extensions | 4.8.0 | 间接依赖 | pip |
| grpcio-status | 1.59.0 | 间接依赖 | pip |
| requests-oauthlib | 1.3.1 | 间接依赖 | pip |
| sqlalchemy | 2.0.21 | 间接依赖 | pip |
| jupyterhub | 3 | 间接依赖 | pip |
| escapism | 1.0.1 | 间接依赖 | pip |
| prometheus-client | 0.17.1 | 间接依赖 | pip |
| pamela | 1.1.0 | 间接依赖 | pip |
| traitlets | 5.10.1 | 间接依赖 | pip |
| markupsafe | 2.1.3 | 间接依赖 | pip |
| jsonschema-specifications | 2023.7.1 | 间接依赖 | pip |
| google-auth | 2.23.2 | 间接依赖 | pip |
| pycparser | 2.21 | 间接依赖 | pip |
| six | 1.16.0 | 间接依赖 | pip |
| dockerspawner | 12 | 间接依赖 | pip |
| idna | 3.4 | 间接依赖 | pip |
| google-cloud-core | 2.3.3 | 间接依赖 | pip |
| grpc-google-iam-v1 | 0.12.6 | 间接依赖 | pip |
| alembic | 1.12.0 | 间接依赖 | pip |
| google-cloud-appengine-logging | 1.3.2 | 间接依赖 | pip |
| python-json-logger | 2.0.7 | 间接依赖 | pip |
| jupyter-repo2docker | 2023.06.0 | 间接依赖 | pip |
| wrap_installers | 间接依赖 | pip | |
| google-cloud-logging | 3.7.0 | 间接依赖 | pip |
| ruamel-yaml-clib | 0.2.7 | 间接依赖 | pip |
| protobuf | 4.24.3 | 间接依赖 | pip |
| ruamel.yaml | 0.17.30 | 间接依赖 | pip |
| certifi | 2023.7.22 | 间接依赖 | pip |
| greenlet | 3.0.0 | 间接依赖 | pip |
| prometheus_client | 间接依赖 | pip | |
| cffi | 1.16.0 | 间接依赖 | pip |
| pyasn1-modules | 0.3.0 | 间接依赖 | pip |
| grpcio | 1.59.0 | 间接依赖 | pip |
| attrs | 23.1.0 | 间接依赖 | pip |
| certipy | 0.1.3 | 间接依赖 | pip |