基础信息
项目名称:yyyar/gobetween
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721692654897795072/1721692655195590656
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| LXD 安全漏洞 | 访问控制不当 | MPS-2016-2783 | CVE-2016-1581 | 中危 |
| LXD 安全漏洞 | 未授权敏感信息泄露 | MPS-2016-2784 | CVE-2016-1582 | 中危 |
| runc containerd 安全漏洞 | 在范围间的资源转移不正确 | MPS-2020-16936 | CVE-2020-15257 | 中危 |
| go-proxyproto 处理逻辑错误漏洞 | 拒绝服务 | MPS-2021-10744 | CVE-2021-23409 | 高危 |
| Pires go-proxyproto 安全漏洞 | 拒绝服务 | MPS-2021-2639 | CVE-2021-23351 | 中危 |
| Gin-Gonic Gin 环境问题漏洞 | HTTP请求走私 | MPS-2021-5932 | CVE-2020-28483 | 高危 |
| containerd CRI stream server 存在拒绝服务漏洞 | 拒绝服务 | MPS-2022-1898 | CVE-2022-23471 | 中危 |
| Google Golang 资源管理错误漏洞 | MPS-2022-58307 | CVE-2022-41723 | 高危 | |
| Google Go 权限许可和访问控制问题漏洞 | 权限管理不当 | MPS-2022-9049 | CVE-2022-29526 | 中危 |
| containerd 安全漏洞 | 不加限制或调节的资源分配 | MPS-2023-3769 | CVE-2023-25153 | 中危 |
| containerd容器内文件权限机制实现不当 | 将用户置入不正确的用户组 | MPS-2023-3789 | CVE-2023-25173 | 中危 |
| Gin-Gonic Gin 输入验证错误漏洞 | 输入验证不恰当 | MPS-2023-5119 | CVE-2023-26125 | 高危 |
| Gin 安全漏洞 | 下载代码缺少完整性检查 | MPS-2023-9711 | CVE-2023-29401 | 中危 |
| Google Golang 资源管理错误漏洞 | 拒绝服务 | MPS-c8am-hbny | CVE-2023-39325 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| github.com/gin-gonic/gin | v1.6.3 | 1.9.1 | 直接依赖 | 建议修复 |
| github.com/containerd/containerd | v1.3.6 | 1.5.18 | 间接依赖 | 建议修复 |
| golang.org/x/net | v0.0.0-20200707034311-ab3426394381 | 0.17.0 | 间接依赖 | 建议修复 |
| github.com/pires/go-proxyproto | v0.1.3 | 0.6.0 | 直接依赖 | 建议修复 |
| github.com/lxc/lxd | v0.0.0-20200706202337-814c96fcec74 | 2.0.2 | 直接依赖 | 可选修复 |
| golang.org/x/sys | v0.0.0-20200625212154-ddb9806d33ae | 0.1.0 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 13 | 低 |
| MIT | 12 | 低 |
| MPL-2.0 | 6 | 低 |
| BSD-3-Clause | 12 | 低 |
| BSD-2-Clause | 2 | 低 |
| LGPL-3.0 | 4 | 中 |
| ISC | 2 | 低 |
| CC-BY-SA-4.0 | 1 | 中 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| github.com/lxc/lxd | v0.0.0-20200706202337-814c96fcec74 | 直接依赖 | go |
| github.com/containerd/continuity | v0.0.0-20200706134602-f1c9af8e2a20 | 间接依赖 | go |
| github.com/gin-contrib/cors | v1.3.1 | 直接依赖 | go |
| github.com/containerd/containerd | v1.3.6 | 间接依赖 | go |
| github.com/hashicorp/go-hclog | v0.14.1 | 间接依赖 | go |
| github.com/hashicorp/consul/api | v1.5.0 | 直接依赖 | go |
| github.com/google/gopacket | v1.1.17 | 间接依赖 | go |
| github.com/burntsushi/toml | v0.3.1 | 直接依赖 | go |
| github.com/hashicorp/golang-lru | v0.5.4 | 间接依赖 | go |
| github.com/miekg/dns | v1.1.30 | 直接依赖 | go |
| golang.org/x/sync | v0.0.0-20200625203802-6e8e738ad208 | 间接依赖 | go |
| gopkg.in/yaml.v2 | v2.3.0 | 间接依赖 | go |
| github.com/prometheus/client_golang | v1.7.1 | 直接依赖 | go |
| github.com/hashicorp/serf | v0.9.2 | 间接依赖 | go |
| github.com/fsouza/go-dockerclient | v1.6.6-0.20200611205848-6aaf6c2d625c | 直接依赖 | go |
| github.com/flosch/pongo2 | v0.0.0-20200529170236-5abacdfa4915 | 间接依赖 | go |
| github.com/go-playground/validator/v10 | v10.3.0 | 间接依赖 | go |
| google.golang.org/grpc | v1.30.0 | 间接依赖 | go |
| gopkg.in/macaroon-bakery.v2 | v2.2.0 | 间接依赖 | go |
| github.com/juju/persistent-cookiejar | v0.0.0-20171026135701-d5e5a8405ef9 | 间接依赖 | go |
| github.com/moby/term | v0.0.0-20200611042045-63b9a826fb74 | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20200707001353-8e8330bf89df | 间接依赖 | go |
| github.com/spf13/pflag | v1.0.5 | 间接依赖 | go |
| github.com/armon/go-metrics | v0.3.3 | 间接依赖 | go |
| github.com/mattn/go-colorable | v0.1.7 | 间接依赖 | go |
| golang.org/x/sys | v0.0.0-20200625212154-ddb9806d33ae | 间接依赖 | go |
| github.com/eric-lindau/udpfacade | v0.0.0-20190621043444-d8c1c27add16 | 直接依赖 | go |
| github.com/juju/go4 | v0.0.0-20160222163258-40d72ab9641a | 间接依赖 | go |
| github.com/elgs/gojq | v0.0.0-20160421194050-81fa9a608a13 | 直接依赖 | go |
| golang.org/x/net | v0.0.0-20200707034311-ab3426394381 | 间接依赖 | go |
| google.golang.org/protobuf | v1.25.0 | 间接依赖 | go |
| gopkg.in/httprequest.v1 | v1.2.1 | 间接依赖 | go |
| github.com/hashicorp/go-immutable-radix | v1.2.0 | 间接依赖 | go |
| github.com/elgs/gosplitargs | v0.0.0-20161028071935-a491c5eeb3c8 | 间接依赖 | go |
| github.com/opencontainers/go-digest | v1.0.0 | 间接依赖 | go |
| github.com/gin-gonic/gin | v1.6.3 | 直接依赖 | go |
| github.com/hashicorp/go-msgpack | v0.5.5 | 间接依赖 | go |
| github.com/sirupsen/logrus | v1.6.0 | 直接依赖 | go |
| github.com/spf13/cobra | v1.0.0 | 直接依赖 | go |
| github.com/rogpeppe/fastuuid | v1.2.0 | 间接依赖 | go |
| github.com/gorilla/websocket | v1.4.2 | 间接依赖 | go |
| github.com/yyyar/gobetween | v0.0.0-00010101000000-000000000000 | 直接依赖 | go |
| github.com/mitchellh/mapstructure | v1.3.2 | 间接依赖 | go |
| golang.org/x/text | v0.3.3 | 间接依赖 | go |
| github.com/juju/webbrowser | v1.0.0 | 间接依赖 | go |
| gopkg.in/robfig/cron.v2 | v2.0.0-20150107220207-be2e0b0deed5 | 间接依赖 | go |
| github.com/mitchellh/go-testing-interface | v1.14.0 | 间接依赖 | go |
| github.com/hashicorp/go-uuid | v1.0.2 | 间接依赖 | go |
| golang.org/x/crypto | v0.0.0-20200622213623-75b288015ac9 | 直接依赖 | go |
| github.com/moby/sys/mountinfo | v0.1.3 | 间接依赖 | go |
| github.com/pires/go-proxyproto | v0.1.3 | 直接依赖 | go |
| gopkg.in/retry.v1 | v1.0.3 | 间接依赖 | go |
| github.com/hashicorp/go-sockaddr | v1.0.2 | 间接依赖 | go |