基础信息
项目名称:andreapollastri/cipi
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1720566057245409280/1720566057283158016
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Dompdf 代码问题漏洞 | SSRF | MPS-2022-0192 | CVE-2022-0085 | 中危 |
| Laravel v9.1.8 反序列化漏洞 | 反序列化 | MPS-2022-10162 | CVE-2022-30778 | 严重 |
| Guzzle 信息泄露漏洞 | 敏感数据的不恰当跨边界移除 | MPS-2022-11072 | CVE-2022-31042 | 高危 |
| Guzzle 信息泄露漏洞 | 敏感数据的不恰当跨边界移除 | MPS-2022-11073 | CVE-2022-31043 | 高危 |
| Guzzle 信息泄露漏洞 | 敏感数据的不恰当跨边界移除 | MPS-2022-11120 | CVE-2022-31090 | 高危 |
| Guzzle 信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2022-11121 | CVE-2022-31091 | 高危 |
| dompdf/dompdf 存在代码注入漏洞 | 代码注入 | MPS-2022-14193 | 高危 | |
| PSR-7 Message Implementation 验证错误漏洞 | 对数据真实性的验证不充分 | MPS-2022-3742 | CVE-2022-24775 | 高危 |
| Sensio Labs Symfony 授权问题漏洞 | 授权机制不恰当 | MPS-2022-3861 | CVE-2022-24894 | 高危 |
| Dompdf 安全漏洞 | 文件名或路径的外部可控制 | MPS-2022-51322 | CVE-2022-2400 | 中危 |
| Laravel 安全漏洞 | 通过差异性导致的信息暴露 | MPS-2022-56670 | CVE-2022-40482 | 中危 |
| Dompdf 安全漏洞 | 对外部实体的文件或目录可访问 | MPS-2022-57837 | CVE-2022-41343 | 高危 |
| PHP-JWT 安全漏洞 | 使用不兼容类型访问资源(类型混淆) | MPS-2022-6966 | CVE-2021-46743 | 严重 |
| Dompdf 注入漏洞 | XSS | MPS-2022-7528 | CVE-2022-28368 | 严重 |
| Guzzle信息泄露漏洞 | 在信任Cookie未进行验证与完整性检查 | MPS-2022-8649 | CVE-2022-29248 | 高危 |
| Dompdf 安全漏洞 | 授权检查错误 | MPS-2023-2187 | CVE-2023-23924 | 严重 |
| Dompdf | 解释冲突 | MPS-2023-3319 | CVE-2023-24813 | 严重 |
| Terrafrost phpseclib 安全漏洞 | 不可达退出条件的循环(无限循环) | MPS-2023-6867 | CVE-2023-27560 | 高危 |
| PSR-7 Message Implementation 安全漏洞 | 解释冲突 | MPS-2023-9403 | CVE-2023-29197 | 高危 |
| Laminas Project diactoros 拒绝服务漏洞 | 拒绝服务 | MPS-2023-9897 | CVE-2023-29530 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| laravel/framework | v8.77.1 | 间接依赖 | 强烈建议修复 | |
| dompdf/dompdf | v1.1.1 | 间接依赖 | 建议修复 | |
| phpseclib/phpseclib | 3.0.12 | 3.0.19 | 间接依赖 | 建议修复 |
| firebase/php-jwt | v5.5.1 | 6.0.0 | 间接依赖 | 建议修复 |
| guzzlehttp/psr7 | 2.1.0 | 2.4.5 | 间接依赖 | 建议修复 |
| guzzlehttp/guzzle | 7.4.1 | 7.4.5 | 间接依赖 | 建议修复 |
| symfony/http-kernel | v5.4.1 | 5.4.20 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 81 | 低 |
| BSD-3-Clause | 30 | 低 |
| Apache-2.0 | 4 | 低 |
| BSD-4-Clause | 4 | 低 |
| LGPL-3.0 | 3 | 中 |
| LGPL-2.0 | 3 | 中 |
| LGPL-2.1 | 1 | 中 |
| GPL-2.0 | 1 | 中 |
| GPL-3.0 | 1 | 中 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| league/config | v1.1.1 | 间接依赖 | composer |
| doctrine/annotations | 1.13.2 | 间接依赖 | composer |
| sebastian/diff | 4.0.4 | 间接依赖 | composer |
| barryvdh/laravel-dompdf | v0.9.0 | 间接依赖 | composer |
| sebastian/object-enumerator | 4.0.4 | 间接依赖 | composer |
| sebastian/exporter | 4.0.4 | 间接依赖 | composer |
| sebastian/version | 3.0.2 | 间接依赖 | composer |
| opis/closure | 3.6.2 | 间接依赖 | composer |
| psr/http-message | 1.0.1 | 间接依赖 | composer |
| phpunit/php-code-coverage | 9.2.10 | 间接依赖 | composer |
| monolog/monolog | 2.3.5 | 间接依赖 | composer |
| nesbot/carbon | 2.55.2 | 间接依赖 | composer |
| laravel/tinker | v2.6.3 | 间接依赖 | composer |
| symfony/polyfill-intl-normalizer | v1.23.0 | 间接依赖 | composer |
| illuminate/contracts | 间接依赖 | composer | |
| lib-pcre | 间接依赖 | composer | |
| hamcrest/hamcrest-php | v2.0.1 | 间接依赖 | composer |
| symfony/translation-contracts | v3.0.0 | 间接依赖 | composer |
| guzzlehttp/promises | 1.5.1 | 间接依赖 | composer |
| sebastian/resource-operations | 3.0.3 | 间接依赖 | composer |
| phpunit/php-timer | 5.0.3 | 间接依赖 | composer |
| symfony/polyfill-php81 | v1.23.0 | 间接依赖 | composer |
| sebastian/environment | 5.1.3 | 间接依赖 | composer |
| psr/http-factory | 1.0.1 | 间接依赖 | composer |
| phpunit/php-file-iterator | 3.0.6 | 间接依赖 | composer |
| league/mime-type-detection | 1.9.0 | 间接依赖 | composer |
| webmozart/assert | 1.10.0 | 间接依赖 | composer |
| league/commonmark | 2.1.0 | 间接依赖 | composer |
| tijsverkoyen/css-to-inline-styles | 2.2.4 | 间接依赖 | composer |
| ralouphie/getallheaders | 3.0.3 | 间接依赖 | composer |
| phpoption/phpoption | 1.8.1 | 间接依赖 | composer |
| phpunit/php-invoker | 3.1.1 | 间接依赖 | composer |
| paragonie/constant_time_encoding | v2.4.0 | 间接依赖 | composer |
| symfony/process | v5.4.0 | 间接依赖 | composer |
| illuminate/database | 间接依赖 | composer | |
| symfony/polyfill-php80 | v1.23.1 | 间接依赖 | composer |
| swagger-api/swagger-ui | v3.52.5 | 间接依赖 | composer |
| psy/psysh | v0.10.12 | 间接依赖 | composer |
| sebastian/code-unit-reverse-lookup | 2.0.3 | 间接依赖 | composer |
| sebastian/cli-parser | 1.0.1 | 间接依赖 | composer |
| sebastian/global-state | 5.0.3 | 间接依赖 | composer |
| symfony/event-dispatcher | v6.0.1 | 间接依赖 | composer |
| mockery/mockery | 1.4.4 | 间接依赖 | composer |
| symfony/service-contracts | v2.4.1 | 间接依赖 | composer |
| symfony/dom-crawler | v5.4.0 | 间接依赖 | composer |
| symfony/polyfill-iconv | v1.23.0 | 间接依赖 | composer |
| psr/log | 2.0.0 | 间接依赖 | composer |
| sebastian/code-unit | 1.0.8 | 间接依赖 | composer |
| asm89/stack-cors | v2.0.3 | 间接依赖 | composer |
| dompdf/dompdf | v1.1.1 | 间接依赖 | composer |
| symfony/deprecation-contracts | v3.0.0 | 间接依赖 | composer |
| psr/event-dispatcher | 1.0.0 | 间接依赖 | composer |
| paragonie/random_compat | v9.99.100 | 间接依赖 | composer |
| phar-io/manifest | 2.0.3 | 间接依赖 | composer |
| psr/simple-cache | 1.0.1 | 间接依赖 | composer |
| symfony/mime | v5.4.0 | 间接依赖 | composer |
| doctrine/lexer | 1.2.1 | 间接依赖 | composer |
| psr/http-client | 1.0.1 | 间接依赖 | composer |
| guzzlehttp/guzzle | 7.4.1 | 间接依赖 | composer |
| sabberworm/php-css-parser | 8.4.0 | 间接依赖 | composer |
| symfony/polyfill-mbstring | v1.23.1 | 间接依赖 | composer |
| phpseclib/phpseclib | 3.0.12 | 间接依赖 | composer |
| brick/math | 0.9.3 | 间接依赖 | composer |
| phpdocumentor/reflection-docblock | 5.3.0 | 间接依赖 | composer |
| fruitcake/laravel-cors | v2.0.4 | 间接依赖 | composer |
| psr/cache | 3.0.0 | 间接依赖 | composer |
| symfony/http-kernel | v5.4.1 | 间接依赖 | composer |
| symfony/console | v5.4.1 | 间接依赖 | composer |
| dragonmantank/cron-expression | v3.1.0 | 间接依赖 | composer |
| sebastian/type | 2.3.4 | 间接依赖 | composer |
| illuminate/support | 间接依赖 | composer | |
| symfony/css-selector | v5.4.0 | 间接依赖 | composer |
| sebastian/comparator | 4.0.6 | 间接依赖 | composer |
| fideloper/proxy | 4.4.1 | 间接依赖 | composer |
| vlucas/phpdotenv | v5.4.1 | 间接依赖 | composer |
| symfony/polyfill-ctype | v1.23.0 | 间接依赖 | composer |
| sebastian/object-reflector | 2.0.4 | 间接依赖 | composer |
| laravel/browser-kit-testing | v6.2.3 | 间接依赖 | composer |
| symfony/error-handler | v5.4.1 | 间接依赖 | composer |
| nette/schema | v1.2.2 | 间接依赖 | composer |
| laravel/serializable-closure | v1.0.5 | 间接依赖 | composer |
| ramsey/uuid | 4.2.3 | 间接依赖 | composer |
| illuminate/testing | 间接依赖 | composer | |
| dflydev/dot-access-data | v3.0.1 | 间接依赖 | composer |
| graham-campbell/result-type | v1.0.4 | 间接依赖 | composer |
| symfony/polyfill-intl-idn | v1.23.0 | 间接依赖 | composer |
| phpspec/prophecy | v1.15.0 | 间接依赖 | composer |
| swiftmailer/swiftmailer | v6.3.0 | 间接依赖 | composer |
| phpunit/php-text-template | 2.0.4 | 间接依赖 | composer |
| symfony/string | v6.0.1 | 间接依赖 | composer |
| egulias/email-validator | 2.1.25 | 间接依赖 | composer |
| symfony/translation | v6.0.1 | 间接依赖 | composer |
| myclabs/deep-copy | 1.10.2 | 间接依赖 | composer |
| symfony/polyfill-intl-grapheme | v1.23.1 | 间接依赖 | composer |
| phpunit/phpunit | 9.5.11 | 间接依赖 | composer |
| theseer/tokenizer | 1.2.1 | 间接依赖 | composer |
| doctrine/inflector | 2.0.4 | 间接依赖 | composer |
| league/flysystem | 1.1.9 | 间接依赖 | composer |
| symfony/finder | v5.4.0 | 间接依赖 | composer |
| darkaonline/l5-swagger | 8.0.9 | 间接依赖 | composer |
| guzzlehttp/psr7 | 2.1.0 | 间接依赖 | composer |
| symfony/polyfill-php72 | v1.23.0 | 间接依赖 | composer |
| zircote/swagger-php | 3.3.3 | 间接依赖 | composer |
| phenx/php-svg-lib | 0.3.4 | 间接依赖 | composer |
| ramsey/collection | 1.2.2 | 间接依赖 | composer |
| symfony/polyfill-php73 | v1.23.0 | 间接依赖 | composer |
| sebastian/complexity | 2.0.2 | 间接依赖 | composer |
| illuminate/http | 间接依赖 | composer | |
| sebastian/lines-of-code | 1.0.3 | 间接依赖 | composer |
| firebase/php-jwt | v5.5.1 | 间接依赖 | composer |
| symfony/var-dumper | v5.4.1 | 间接依赖 | composer |
| nikic/php-parser | v4.13.2 | 间接依赖 | composer |
| voku/portable-ascii | 1.5.6 | 间接依赖 | composer |
| sebastian/recursion-context | 4.0.4 | 间接依赖 | composer |
| symfony/event-dispatcher-contracts | v3.0.0 | 间接依赖 | composer |
| psr/container | 1.1.2 | 间接依赖 | composer |
| symfony/routing | v5.4.0 | 间接依赖 | composer |
| symfony/http-foundation | v5.4.1 | 间接依赖 | composer |
| doctrine/instantiator | 1.4.0 | 间接依赖 | composer |
| symfony/yaml | v5.4.0 | 间接依赖 | composer |
| laravel/framework | v8.77.1 | 间接依赖 | composer |
| phar-io/version | 3.1.0 | 间接依赖 | composer |
| phenx/php-font-lib | 0.5.4 | 间接依赖 | composer |
| illuminate/console | 间接依赖 | composer |