基础信息
项目名称:h2oai/h2ogpt
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721253964955062272/1726470160896188416
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| NumPy 代码问题漏洞 | 空指针取消引用 | MPS-2021-32278 | CVE-2021-41495 | 中危 |
| urllib3 安全漏洞 | MPS-46py-nxai | CVE-2023-45803 | 中危 | |
| PyPI仓库selenium组件包内嵌恶意代码 | 内嵌恶意代码 | MPS-52me-b76a | 高危 | |
| Langchain 安全漏洞 | 注入 | MPS-a49n-xm37 | CVE-2023-32786 | 高危 |
| pypdf 安全漏洞 | 不可达退出条件的循环(无限循环) | MPS-eyh6-nwl1 | CVE-2023-46250 | 中危 |
| urllib3 HTTP重定向信息泄露漏洞 | 未授权敏感信息泄露 | MPS-s0oy-afbw | CVE-2023-43804 | 高危 |
| Pillow 安全漏洞 | 拒绝服务 | MPS-uxbf-5trd | CVE-2023-44271 | 高危 |
| langchain注入漏洞 | 注入 | MPS-x9qb-uct8 | CVE-2023-39659 | 严重 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| selenium | 4.11.2 | 间接依赖 | 强烈建议修复 | |
| urllib3 | 1.26.16 | 1.26.18 | 间接依赖 | 建议修复 |
| numpy | 1.24.3 | 间接依赖 | 可选修复 | |
| pillow | 9.5.0 | 10.0.0 | 间接依赖 | 可选修复 |
| pypdf | 3.14.0 | 3.17.0 | 间接依赖 | 可选修复 |
| langchain | 0.0.321 | 0.0.329 | 间接依赖 | 可选修复 |
| transformers | 4.28.1 | 4.30.0 | 间接依赖 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 23 | 低 |
| BSD-3-Clause | 5 | 低 |
| 自定义许可证 | 13 | 低 |
| Apache-2.0 | 15 | 低 |
| Unlicense | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| bitsandbytes | 0.41.1 | 间接依赖 | pip |
| DocumentSubset | 间接依赖 | pip | |
| appdirs | 1.4.4 | 间接依赖 | pip |
| numpy | 1.24.3 | 间接依赖 | pip |
| H2OExLlamaTokenizer | 间接依赖 | pip | |
| mwparserfromhell | 0.6.4 | 间接依赖 | pip |
| get_chatbot_name | 间接依赖 | pip | |
| scikit-learn | 1.2.2 | 间接依赖 | pip |
| pypdf | 3.14.0 | 间接依赖 | pip |
| tests | 间接依赖 | pip | |
| langchain | 0.0.321 | 间接依赖 | pip |
| pytest-xdist | 3.2.1 | 间接依赖 | pip |
| google-search-results | 2.4.2 | 间接依赖 | pip |
| wraps | 间接依赖 | pip | |
| get_list_or_str | 间接依赖 | pip | |
| beautifulsoup4 | 4.12.2 | 间接依赖 | pip |
| Any | 间接依赖 | pip | |
| neptune | 1.2.0 | 间接依赖 | pip |
| huggingface_hub | 0.16.4 | 间接依赖 | pip |
| gradio | 3.50.2 | 间接依赖 | pip |
| _chunk_sources | 间接依赖 | pip | |
| faiss-cpu | 1.7.4 | 间接依赖 | pip |
| botocore | 1.29.101 | 间接依赖 | pip |
| have_emoji | 间接依赖 | pip | |
| get_sentence | 间接依赖 | pip | |
| partial | 间接依赖 | pip | |
| pillow | 9.5.0 | 间接依赖 | pip |
| dispatch_model | 间接依赖 | pip | |
| pypdfium2 | 4.19.0 | 间接依赖 | pip |
| input_args_list | 间接依赖 | pip | |
| eval_func_param_names | 间接依赖 | pip | |
| lm_dataformat | 0.0.20 | 间接依赖 | pip |
| posthog | 3.0.1 | 间接依赖 | pip |
| python-dotenv | 1.0.0 | 间接依赖 | pip |
| APScheduler | 3.10.1 | 间接依赖 | pip |
| peft | 0.5.0 | 间接依赖 | pip |
| psutil | 5.9.5 | 间接依赖 | pip |
| AutoModelForCausalLM | 间接依赖 | pip | |
| loralib | 0.1.1 | 间接依赖 | pip |
| PromptType | 间接依赖 | pip | |
| openpyxl | 3.1.2 | 间接依赖 | pip |
| torch | 2.0.0 | 间接依赖 | pip |
| llama-cpp-python | 0.2.11 | 间接依赖 | pip |
| urllib3 | 1.26.16 | 间接依赖 | pip |
| Tuple | 间接依赖 | pip | |
| AgentFinish | 间接依赖 | pip | |
| gradio_client | 0.6.1 | 间接依赖 | pip |
| pandas | 2.0.2 | 间接依赖 | pip |
| arxiv | 1.4.8 | 间接依赖 | pip |
| H2OTextGenerationPipeline | 间接依赖 | pip | |
| pynvml | 11.5.0 | 间接依赖 | pip |
| LLMResult | 间接依赖 | pip | |
| pip-licenses | 4.3.0 | 间接依赖 | pip |
| duckdb | 0.7.1 | 间接依赖 | pip |
| langchain_experimental | 0.0.33 | 间接依赖 | pip |
| pytest | 7.2.2 | 间接依赖 | pip |
| source_prefix | 间接依赖 | pip | |
| List | 间接依赖 | pip | |
| selenium | 4.11.2 | 间接依赖 | pip |
| tabulate | 0.9.0 | 间接依赖 | pip |
| instructorembedding | 1.0.1 | 间接依赖 | pip |
| chromadb | 0.4.13 | 间接依赖 | pip |
| LangChainAction | 间接依赖 | pip | |
| tensorboard | 2.13.0 | 间接依赖 | pip |
| weaviate-client | 3.22.1 | 间接依赖 | pip |
| add_parser | 间接依赖 | pip | |
| filelock | 3.12.2 | 间接依赖 | pip |
| StoppingCriteria | 间接依赖 | pip | |
| packaging | 23.1 | 间接依赖 | pip |
| ConnectTimeout | 间接依赖 | pip | |
| rouge_score | 0.1.2 | 间接依赖 | pip |
| tokenizers | 0.14.1 | 间接依赖 | pip |
| sacrebleu | 2.3.1 | 间接依赖 | pip |
| Dict | 间接依赖 | pip | |
| H2OExLlamaGenerator | 间接依赖 | pip | |
| bert_score | 0.3.13 | 间接依赖 | pip |
| h2ogpt_client | 间接依赖 | pip | |
| makedirs | 间接依赖 | pip | |
| replicate | 0.10.0 | 间接依赖 | pip |
| Generation | 间接依赖 | pip | |
| get_ngpus_vis | 间接依赖 | pip | |
| boto3 | 1.26.101 | 间接依赖 | pip |
| text-generation | 0.6.0 | 间接依赖 | pip |
| get_xtt | 间接依赖 | pip | |
| accelerate | 0.18.0 | 间接依赖 | pip |
| Callable | 间接依赖 | pip | |
| Union | 间接依赖 | pip | |
| matplotlib | 3.7.1 | 间接依赖 | pip |
| faiss-gpu | 1.7.2 | 间接依赖 | pip |
| AgentAction | 间接依赖 | pip | |
| bioc | 2.0 | 间接依赖 | pip |
| fire | 0.5.0 | 间接依赖 | pip |
| wrap_test_forked | 间接依赖 | pip | |
| sentencepiece | 0.1.99 | 间接依赖 | pip |
| source_postfix | 间接依赖 | pip | |
| pdfminer.six | 20221105 | 间接依赖 | pip |
| markdown | 3.4.3 | 间接依赖 | pip |
| tqdm | 4.65.0 | 间接依赖 | pip |
| nltk | 3.8.1 | 间接依赖 | pip |
| playwright | 1.37.0 | 间接依赖 | pip |
| docutils | 0.20.1 | 间接依赖 | pip |
| datasets | 2.13.0 | 间接依赖 | pip |
| textstat | 0.7.3 | 间接依赖 | pip |
| flash-attn | 1.0.4 | 间接依赖 | pip |
| sentence_transformers | 2.2.2 | 间接依赖 | pip |
| sacremoses | 0.0.53 | 间接依赖 | pip |
| texts_helium2 | 间接依赖 | pip | |
| make_chatbots | 间接依赖 | pip | |
| AutoTokenizer | 间接依赖 | pip | |
| evaluate | 0.4.0 | 间接依赖 | pip |
| get_inf_server | 间接依赖 | pip | |
| get_llama | 间接依赖 | pip | |
| einops | 0.6.1 | 间接依赖 | pip |
| gpt4all | 1.0.5 | 间接依赖 | pip |
| joblib | 1.3.1 | 间接依赖 | pip |
| init_sentence_state | 间接依赖 | pip | |
| read_popen_pipes | 间接依赖 | pip | |
| AsyncGenerator | 间接依赖 | pip | |
| openai | 0.28.1 | 间接依赖 | pip |
| StoppingCriteriaList | 间接依赖 | pip | |
| JSONDecodeError | 间接依赖 | pip | |
| infer_auto_device_map | 间接依赖 | pip | |
| texts_helium1 | 间接依赖 | pip | |
| Iterator | 间接依赖 | pip | |
| chroma-migrate | 0.0.7 | 间接依赖 | pip |
| requests | 2.31.0 | 间接依赖 | pip |
| tiktoken | 0.4.0 | 间接依赖 | pip |
| sentence_to_wave | 间接依赖 | pip | |
| mwxml | 0.3.3 | 间接依赖 | pip |
| flatten_list | 间接依赖 | pip | |
| transformers | 4.28.1 | 间接依赖 | pip |
| eval_extra_columns | 间接依赖 | pip |