基础信息
项目名称:FleekHQ/space-daemon
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721200481631469568/1723312731404591104
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| jwt-go 安全漏洞 | 授权检查缺失 | MPS-2020-13786 | CVE-2020-26160 | 高危 |
| Steven Allen go-ipfs 路径遍历漏洞 | 路径遍历 | MPS-2021-3282 | CVE-2020-26279 | 高危 |
| IPFS 安全漏洞 | 对输出编码和转义不恰当 | MPS-2021-3283 | CVE-2020-26283 | 高危 |
| tar-utils 路径遍历漏洞 | 路径遍历 | MPS-2022-52764 | CVE-2020-36566 | 严重 |
| Google Golang 资源管理错误漏洞 | MPS-2022-58307 | CVE-2022-41723 | 高危 | |
| Google Go 权限许可和访问控制问题漏洞 | 权限管理不当 | MPS-2022-9049 | CVE-2022-29526 | 中危 |
| go-unixfs 资源管理错误漏洞 | 拒绝服务 | MPS-2023-1744 | CVE-2023-23625 | 高危 |
| Google Golang 资源管理错误漏洞 | 拒绝服务 | MPS-c8am-hbny | CVE-2023-39325 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| github.com/ipfs/go-ipfs | v0.7.0 | 0.8.0 | 直接依赖 | 建议修复 |
| github.com/dgrijalva/jwt-go | v3.2.0+incompatible | 4.0.0-preview1 | 直接依赖 | 建议修复 |
| golang.org/x/net | v0.0.0-20201006153459-a7d1128ccaa0 | 0.17.0 | 直接依赖 | 建议修复 |
| github.com/ipfs/go-unixfs | v0.2.4 | 0.4.3 | 直接依赖 | 建议修复 |
| golang.org/x/sys | v0.0.0-20201113135734-0a15ea8d9b02 | 0.1.0 | 直接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 37 | 低 |
| BSD-3-Clause | 13 | 低 |
| Apache-2.0 | 15 | 低 |
| BSD-2-Clause | 2 | 低 |
| HPND | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| github.com/textileio/textile/v2 | v2.1.7 | 直接依赖 | go |
| github.com/ipfs/go-path | v0.0.8 | 间接依赖 | go |
| github.com/textileio/go-threads | v1.0.1 | 直接依赖 | go |
| golang.org/x/sys | v0.0.0-20201113135734-0a15ea8d9b02 | 直接依赖 | go |
| github.com/creamdog/gonfig | v0.0.0-20160810132730-80d86bfb5a37 | 直接依赖 | go |
| github.com/tyler-smith/go-bip39 | v1.0.2 | 直接依赖 | go |
| github.com/onsi/gomega | v1.10.3 | 直接依赖 | go |
| github.com/uber/jaeger-client-go | v2.23.1+incompatible | 直接依赖 | go |
| github.com/mitchellh/go-homedir | v1.1.0 | 直接依赖 | go |
| google.golang.org/protobuf | v1.25.0 | 直接依赖 | go |
| github.com/dgrijalva/jwt-go | v3.2.0+incompatible | 直接依赖 | go |
| gorm.io/driver/sqlite | v1.1.3 | 直接依赖 | go |
| github.com/sirupsen/logrus | v1.7.0 | 直接依赖 | go |
| github.com/pkg/errors | v0.9.1 | 直接依赖 | go |
| github.com/ipfs/go-cid | v0.0.7 | 直接依赖 | go |
| github.com/rs/cors | v1.7.0 | 直接依赖 | go |
| github.com/libp2p/go-libp2p-core | v0.7.0 | 直接依赖 | go |
| github.com/libp2p/go-libp2p-crypto | v0.1.0 | 直接依赖 | go |
| gotest.tools | v2.2.0+incompatible | 直接依赖 | go |
| github.com/dgraph-io/badger | v1.6.2 | 直接依赖 | go |
| github.com/stretchr/testify | v1.6.1 | 直接依赖 | go |
| github.com/opentracing/opentracing-go | v1.2.0 | 直接依赖 | go |
| github.com/alecthomas/jsonschema | v0.0.0-20191017121752-4bb6e3fae4f2 | 直接依赖 | go |
| github.com/hsanjuan/ipfs-lite | v1.1.17 | 间接依赖 | go |
| github.com/ipfs/go-unixfs | v0.2.4 | 直接依赖 | go |
| github.com/ipfs/go-ipld-format | v0.2.0 | 直接依赖 | go |
| github.com/ipfs/go-ipfs-files | v0.0.8 | 直接依赖 | go |
| github.com/cznic/mathutil | v0.0.0-20181122101859-297441e03548 | 间接依赖 | go |
| github.com/ipfs/go-ipfs | v0.7.0 | 直接依赖 | go |
| github.com/tecbot/gorocksdb | v0.0.0-20191217155057-f0fad39f321c | 间接依赖 | go |
| github.com/textileio/dcrypto | v0.0.1 | 直接依赖 | go |
| github.com/99designs/keyring | v1.1.5 | 直接依赖 | go |
| github.com/libp2p/go-libp2p-connmgr | v0.2.4 | 直接依赖 | go |
| github.com/ipfs/go-merkledag | v0.3.2 | 直接依赖 | go |
| github.com/joho/godotenv | v1.3.0 | 直接依赖 | go |
| github.com/improbable-eng/grpc-web | v0.13.0 | 直接依赖 | go |
| github.com/grpc-ecosystem/go-grpc-middleware | v1.2.2 | 直接依赖 | go |
| github.com/ipfs/interface-go-ipfs-core | v0.4.0 | 直接依赖 | go |
| github.com/phayes/freeport | v0.0.0-20180830031419-95f893ade6f2 | 直接依赖 | go |
| github.com/prometheus/client_golang | v1.7.1 | 间接依赖 | go |
| golang.org/x/sync | v0.0.0-20200625203802-6e8e738ad208 | 直接依赖 | go |
| github.com/onsi/ginkgo | v1.14.2 | 直接依赖 | go |
| github.com/odeke-em/go-utils | v0.0.0-20170224015737-e8ebaed0777a | 直接依赖 | go |
| github.com/ipfs/go-ipfs-http-client | v0.1.0 | 直接依赖 | go |
| github.com/golang-collections/collections | v0.0.0-20130729185459-604e922904d3 | 直接依赖 | go |
| github.com/cznic/b | v0.0.0-20181122101859-a26611c4d92d | 间接依赖 | go |
| github.com/ipfs/go-ipfs-config | v0.10.0 | 直接依赖 | go |
| github.com/multiformats/go-multiaddr | v0.3.1 | 直接依赖 | go |
| github.com/golang/protobuf | v1.4.3 | 直接依赖 | go |
| github.com/keybase/go-kext | v0.0.0-20200218013902-e4a86908886a | 直接依赖 | go |
| golang.org/x/crypto | v0.0.0-20200820211705-5c72a883971a | 直接依赖 | go |
| github.com/jmhodges/levigo | v1.0.0 | 间接依赖 | go |
| github.com/grpc-ecosystem/grpc-gateway | v1.14.6 | 直接依赖 | go |
| github.com/cznic/strutil | v0.0.0-20181122101858-275e90344537 | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20200702021140-07506425bd67 | 直接依赖 | go |
| github.com/multiformats/go-multihash | v0.0.14 | 直接依赖 | go |
| github.com/radovskyb/watcher | v1.0.7 | 直接依赖 | go |
| github.com/blevesearch/bleve | v1.0.12 | 直接依赖 | go |
| golang.org/x/net | v0.0.0-20201006153459-a7d1128ccaa0 | 直接依赖 | go |
| bazil.org/fuse | v0.0.0-20200117225306-7b5117fecadc | 直接依赖 | go |
| github.com/multiformats/go-multibase | v0.0.3 | 直接依赖 | go |
| gorm.io/gorm | v1.20.5 | 直接依赖 | go |
| google.golang.org/grpc | v1.33.1 | 直接依赖 | go |
| github.com/ipfs/go-ipfs-chunker | v0.0.5 | 直接依赖 | go |