基础信息
项目名称:kadalu/kadalu
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1719358875550662656/1719358875877818368
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Python 安全漏洞 | ReDoS | MPS-2022-57238 | CVE-2022-40897 | 中危 |
| urllib3 安全漏洞 | MPS-46py-nxai | CVE-2023-45803 | 中危 | |
| PyPI仓库charset-normalizer组件包内嵌恶意代码 | 内嵌恶意代码 | MPS-67h0-j1fr | 高危 | |
| OpenSSL 安全漏洞 | 过度迭代 | MPS-n3pe-ljgc | CVE-2023-3817 | 中危 |
| urllib3 HTTP重定向信息泄露漏洞 | 未授权敏感信息泄露 | MPS-s0oy-afbw | CVE-2023-43804 | 高危 |
| Pip 安全漏洞 | 命令注入 | MPS-tlmo-s894 | CVE-2023-5752 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| charset-normalizer | 3.2.0 | 间接依赖 | 强烈建议修复 | |
| urllib3 | 1.26.16 | 1.26.18 | 间接依赖 | 建议修复 |
| cryptography | 41.0.2 | 41.0.3 | 间接依赖 | 可选修复 |
| setuptools | 39.2.0 | 65.5.1 | 间接依赖 | 可选修复 |
| pip | 23.2.1 | 23.3 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| BSD-3-Clause | 6 | 低 |
| Apache-2.0 | 12 | 低 |
| BSD-2-Clause | 3 | 低 |
| 自定义许可证 | 18 | 低 |
| Apache-2.0 OR BSD-3-Clause | 1 | 低 |
| MIT | 25 | 低 |
| LGPL-2.1-or-later | 1 | 低 |
| GPL-2.0-or-later | 1 | 低 |
| ISC | 2 | 低 |
| Apache-2.0 OR MIT | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| starlette | 0.27.0 | 间接依赖 | pip |
| Monitor | 间接依赖 | pip | |
| websockets | 11.0.3 | 间接依赖 | pip |
| bcrypt | 4.0.1 | 间接依赖 | pip |
| pyasn1 | 0.5.0 | 间接依赖 | pip |
| bleach | 6.0.0 | 间接依赖 | pip |
| requests-toolbelt | 1.0.0 | 间接依赖 | pip |
| oauthlib | 3.2.2 | 间接依赖 | pip |
| cryptography | 41.0.2 | 间接依赖 | pip |
| h11 | 0.14.0 | 间接依赖 | pip |
| typing-extensions | 4.7.1 | 间接依赖 | pip |
| markdown-it-py | 3.0.0 | 间接依赖 | pip |
| prometheus_client | 间接依赖 | pip | |
| six | 1.16.0 | 间接依赖 | pip |
| uvloop | 0.17.0 | 间接依赖 | pip |
| isort | 5.12.0 | 间接依赖 | pip |
| pkginfo | 1.9.6 | 间接依赖 | pip |
| setuptools | 39.2.0 | 间接依赖 | pip |
| xxhash | 3.2.0 | 间接依赖 | pip |
| rsa | 4.9 | 间接依赖 | pip |
| pynacl | 1.5.0 | 间接依赖 | pip |
| charset-normalizer | 3.2.0 | 间接依赖 | pip |
| requests | 2.31.0 | 间接依赖 | pip |
| secretstorage | 3.3.3 | 间接依赖 | pip |
| prometheus-client | 0.17.1 | 间接依赖 | pip |
| more-itertools | 10.0.0 | 间接依赖 | pip |
| websocket-client | 1.6.1 | 间接依赖 | pip |
| cachetools | 5.3.1 | 间接依赖 | pip |
| /tmp/server-requirements.txt | 间接依赖 | pip | |
| protobuf | 3.20.3 | 间接依赖 | pip |
| googleapis-common-protos | 1.59.1 | 间接依赖 | pip |
| kubectl_kadalu | 间接依赖 | pip | |
| jeepney | 0.8.0 | 间接依赖 | pip |
| pydantic-core | 2.3.0 | 间接依赖 | pip |
| twine | 4.0.2 | 间接依赖 | pip |
| logging_setup | 间接依赖 | pip | |
| setuptools | 68.0.0 | 间接依赖 | pip |
| mdurl | 0.1.2 | 间接依赖 | pip |
| zipp | 3.16.2 | 间接依赖 | pip |
| grpcio | 1.56.2 | 间接依赖 | pip |
| markupsafe | 2.1.3 | 间接依赖 | pip |
| webencodings | 0.5.1 | 间接依赖 | pip |
| packaging | 23.1 | 间接依赖 | pip |
| google-auth | 2.22.0 | 间接依赖 | pip |
| astroid | 2.15.6 | 间接依赖 | pip |
| paramiko | 3.2.0 | 间接依赖 | pip |
| pylint | 2.17.4 | 间接依赖 | pip |
| readme-renderer | 40.0 | 间接依赖 | pip |
| idna | 3.4 | 间接依赖 | pip |
| anyio | 3.7.1 | 间接依赖 | pip |
| docutils | 0.20.1 | 间接依赖 | pip |
| python-dateutil | 2.8.2 | 间接依赖 | pip |
| wrapt | 1.15.0 | 间接依赖 | pip |
| httptools | 0.6.0 | 间接依赖 | pip |
| jinja2 | 3.1.2 | 间接依赖 | pip |
| update_free_size | 间接依赖 | pip | |
| python-dotenv | 1.0.0 | 间接依赖 | pip |
| pygments | 2.15.1 | 间接依赖 | pip |
| kubernetes | 25.3.0 | 间接依赖 | pip |
| click | 8.1.6 | 间接依赖 | pip |
| pip | 23.2.1 | 间接依赖 | pip |
| cffi | 1.15.1 | 间接依赖 | pip |
| jaraco-classes | 3.3.0 | 间接依赖 | pip |
| dill | 0.3.7 | 间接依赖 | pip |
| requests-oauthlib | 1.3.1 | 间接依赖 | pip |
| tomlkit | 0.11.8 | 间接依赖 | pip |
| glustercli | 0.8.6 | 间接依赖 | pip |
| Proc | 间接依赖 | pip | |
| pycparser | 2.21 | 间接依赖 | pip |
| fastapi | 0.100.0 | 间接依赖 | pip |
| pluggy | 1.2.0 | 间接依赖 | pip |
| mccabe | 0.7.0 | 间接依赖 | pip |
| /tmp/operator-requirements.txt | 间接依赖 | pip | |
| zope-interface | 6.0 | 间接依赖 | pip |
| keyring | 24.2.0 | 间接依赖 | pip |
| pyxattr | 0.8.1 | 间接依赖 | pip |
| iniconfig | 2.0.0 | 间接依赖 | pip |
| annotated-types | 0.5.0 | 间接依赖 | pip |
| watchfiles | 0.19.0 | 间接依赖 | pip |
| HOSTVOL_MOUNTDIR | 间接依赖 | pip | |
| logf | 间接依赖 | pip | |
| datetime | 5.2 | 间接依赖 | pip |
| pytz | 2023.3 | 间接依赖 | pip |
| rfc3986 | 2.0.0 | 间接依赖 | pip |
| certifi | 2023.7.22 | 间接依赖 | pip |
| pyyaml | 6.0.1 | 间接依赖 | pip |
| rich | 13.4.2 | 间接依赖 | pip |
| pyasn1-modules | 0.3.0 | 间接依赖 | pip |
| platformdirs | 3.9.1 | 间接依赖 | pip |
| lazy-object-proxy | 1.9.0 | 间接依赖 | pip |
| urllib3 | 1.26.16 | 间接依赖 | pip |
| sniffio | 1.3.0 | 间接依赖 | pip |
| importlib-metadata | 6.8.0 | 间接依赖 | pip |
| pydantic | 2.0.3 | 间接依赖 | pip |
| pytest | 7.4.0 | 间接依赖 | pip |