基础信息
项目名称:envoyproxy/envoy
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721165273888718848/1727916620951019520
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| aiohttp 安全漏洞 | MPS-2022-18255 | CVE-2022-33124 | 中危 | |
| AIOHTTP | HTTP请求走私 | MPS-5tgd-mv7y | CVE-2023-47627 | 中危 |
| Google Golang 资源管理错误漏洞 | 拒绝服务 | MPS-c8am-hbny | CVE-2023-39325 | 高危 |
| Requests Proxy-Authorization 标头泄露漏洞 | 未授权敏感信息泄露 | MPS-hr61-tzey | CVE-2023-32681 | 中危 |
| OpenSSL 安全漏洞 | 过度迭代 | MPS-n3pe-ljgc | CVE-2023-3817 | 中危 |
| aiohttp 环境问题漏洞 | HTTP请求走私 | MPS-ptqs-e23v | CVE-2023-37276 | 高危 |
| python-cryptography 信任管理问题漏洞 | 证书验证不恰当 | MPS-sj5m-20tf | CVE-2023-38325 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| aiohttp | 3.8.1 | 3.8.6 | 间接依赖 | 建议修复 |
| cryptography | 41.0.1 | 41.0.3 | 间接依赖 | 建议修复 |
| requests | 2.22.0 | 2.31.0 | 间接依赖 | 建议修复 |
| golang.org/x/net | v0.7.0 | 0.17.0 | 间接依赖 | 可选修复 |
| golang.org/x/net | v0.8.0 | 0.17.0 | 直接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| 自定义许可证 | 12 | 低 |
| Apache-2.0 | 25 | 低 |
| BSD-3-Clause | 13 | 低 |
| Apache-2.0 OR BSD-3-Clause | 1 | 低 |
| MIT | 2 | 低 |
| LGPL-3.0 | 1 | 中 |
| BSD-2-Clause | 2 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| envoy.code.check | 0.5.8 | 间接依赖 | pip |
| google.golang.org/grpc | v1.25.1 | 间接依赖 | go |
| google.golang.org/protobuf | v1.31.0 | 直接依赖 | go |
| google.golang.org/genproto | v0.0.0-20230410155749-daa745c078e1 | 间接依赖 | go |
| protobuf | 3.18.0 | 间接依赖 | pip |
| envoy.docs.sphinx_runner | 0.2.9 | 间接依赖 | pip |
| envoy.distribution.release | 0.0.9 | 间接依赖 | pip |
| google.golang.org/grpc | v1.59.0 | 直接依赖 | go |
| util | 间接依赖 | pip | |
| github.com/envoyproxy/envoy | v1.24.0 | 直接依赖 | go |
| envoy.gpg.identity | 0.1.1 | 间接依赖 | pip |
| google.golang.org/grpc | v1.53.0 | 直接依赖 | go |
| golang.org/x/net | v0.8.0 | 直接依赖 | go |
| libc.so.6 | 间接依赖 | ||
| envoy.dependency.check | 0.1.10 | 间接依赖 | pip |
| Union | 间接依赖 | pip | |
| dependatool | 0.2.2 | 间接依赖 | pip |
| sphinxcontrib-qthelp | 1.0.3 | 间接依赖 | pip |
| github.com/envoyproxy/protoc-gen-validate | v0.10.1 | 间接依赖 | go |
| envoy.distribution.verify | 0.0.11 | 间接依赖 | pip |
| sphinxcontrib-serializinghtml | 1.1.5 | 间接依赖 | pip |
| github.com/cncf/xds/go | v0.0.0-20230607035331-e9ce68804cb4 | 直接依赖 | go |
| aio.api.github | 0.2.5 | 间接依赖 | pip |
| cryptography | 41.0.1 | 间接依赖 | pip |
| pygments | 间接依赖 | pip | |
| aiohttp | 间接依赖 | pip | |
| envoy.base.utils | 0.5.0 | 间接依赖 | pip |
| cffi | 1.15.0 | 间接依赖 | pip |
| H3_ALPN | 间接依赖 | pip | |
| github.com/envoyproxy/envoy/contrib/golang | v1.24.0 | 直接依赖 | go |
| aiohttp | 3.8.1 | 间接依赖 | pip |
| Project | 间接依赖 | pip | |
| clang-tidy | 14.0.6 | 间接依赖 | pip |
| aioquic | 0.9.21 | 间接依赖 | pip |
| github.com/cncf/xds/go | v0.0.0-20230310173818-32f1caf87195 | 直接依赖 | go |
| google.golang.org/genproto | v0.0.0-20190819201941-24fa4b261c55 | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20230306155012-7f2fa6fef1f4 | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20230110181048-76db0878b65f | 间接依赖 | go |
| requests | 2.22.0 | 间接依赖 | pip |
| golang.org/x/sys | v0.5.0 | 间接依赖 | go |
| flake8 | 6 | 间接依赖 | pip |
| yarl | 1.7.2 | 间接依赖 | pip |
| github.com/golang/protobuf | v1.5.2 | 间接依赖 | go |
| google.golang.org/protobuf | v1.30.0 | 间接依赖 | go |
| google.golang.org/genproto/googleapis/rpc | v0.0.0-20230822172742-b8732ec3820d | 直接依赖 | go |
| sphinxcontrib-devhelp | 1.0.2 | 间接依赖 | pip |
| github.com/envoyproxy/protoc-gen-validate | v0.1.0 | 间接依赖 | go |
| github.com/envoyproxy/go-control-plane | v0.11.1 | 直接依赖 | go |
| golang.org/x/net | v0.7.0 | 间接依赖 | go |
| flask | 间接依赖 | pip | |
| github.com/cncf/xds/go | v0.0.0-20230112175826-46e39c7b9b43 | 直接依赖 | go |
| github.com/envoyproxy/protoc-gen-validate | v0.9.1 | 间接依赖 | go |
| github.com/golang/protobuf | v1.5.3 | 直接依赖 | go |
| multidict | 6.0.2 | 间接依赖 | pip |
| List | 间接依赖 | pip | |
| Optional | 间接依赖 | pip | |
| frozendict | 2.3.7 | 间接依赖 | pip |
| sphinxcontrib-applehelp | 1.0.4 | 间接依赖 | pip |
| abstracts | 0.0.12 | 间接依赖 | pip |
| envoy.gpg.sign | 0.2.0 | 间接依赖 | pip |
| google.golang.org/protobuf | v1.28.1 | 直接依赖 | go |
| golang.org/x/text | v0.7.0 | 间接依赖 | go |
| sphinxcontrib-htmlhelp | 2.0.1 | 间接依赖 | pip |
| H3Connection | 间接依赖 | pip | |
| sphinx | 7 | 间接依赖 | pip |
| protobuf | 4.22.0 | 间接依赖 | pip |
| github.com/envoyproxy/envoy/examples/grpc-bridge/server/kv | v0.0.0-00010101000000-000000000000 | 直接依赖 | go |
| clang-format | 14.0.6 | 间接依赖 | pip |
| envoy.distribution.repo | 0.0.8 | 间接依赖 | pip |
| github.com/google/go-cmp | v0.5.9 | 间接依赖 | go |
| Dict | 间接依赖 | pip | |
| github.com/golang/protobuf | v1.5.0 | 间接依赖 | go |
| gslib | 间接依赖 | pip | |
| IProject | 间接依赖 | pip |