基础信息
项目名称:google/gvisor
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721236315382550528/1728218916127199232
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| TryGhost express-hbs 信息泄露漏洞 | 代码注入 | MPS-2021-17445 | CVE-2021-32822 | 中危 |
| uglify-js | ReDoS | MPS-2022-14112 | 中危 | |
| rack 存在HTTP请求的解释不一致性(HTTP请求私运)漏洞 | HTTP请求走私 | MPS-2022-15297 | 中危 | |
| containerd CRI stream server 存在拒绝服务漏洞 | 拒绝服务 | MPS-2022-1898 | CVE-2022-23471 | 中危 |
| Express 中的 qs 模块存在原型污染漏洞 | 原型污染 | MPS-2022-3967 | CVE-2022-24999 | 高危 |
| containerd 安全漏洞 | 不加限制或调节的资源分配 | MPS-2023-3769 | CVE-2023-25153 | 中危 |
| containerd容器内文件权限机制实现不当 | 将用户置入不正确的用户组 | MPS-2023-3789 | CVE-2023-25173 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| qs | 6.7.0 | 6.7.3 | 间接依赖 | 建议修复 |
| express | 4.17.1 | 4.17.3 | 直接依赖 | 建议修复 |
| uglify-js | 3.14.2 | 3.14.3 | 间接依赖 | 可选修复 |
| github.com/containerd/containerd | v1.4.13 | 1.5.18 | 直接依赖 | 可选修复 |
| rack | 2.2.8 | 间接依赖 | 可选修复 | |
| hbs | 4.1.2 | 直接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 70 | 低 |
| Apache-2.0 | 40 | 低 |
| BSD-3-Clause | 24 | 低 |
| BSD-2-Clause | 4 | 低 |
| MPL-2.0 | 2 | 低 |
| CC-BY-SA-4.0 | 1 | 中 |
| ISC | 3 | 低 |
| 自定义许可证 | 1 | 低 |
| Apache2 | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| debug | 2.6.9 | 间接依赖 | npm |
| github.com/vishvananda/netlink | v1.1.1-0.20211118161826-650dca95af54 | 直接依赖 | go |
| array-flatten | 1.1.1 | 间接依赖 | npm |
| github.com/docker/go-units | v0.4.0 | 间接依赖 | go |
| body-parser | 1.19.0 | 间接依赖 | npm |
| iconv-lite | 0.4.24 | 间接依赖 | npm |
| merge-descriptors | 1.0.1 | 间接依赖 | npm |
| k8s.io/utils | v0.0.0-20211116205334-6203023598ed | 间接依赖 | go |
| gopkg.in/inf.v0 | v0.9.1 | 间接依赖 | go |
| github.com/Microsoft/go-winio | v0.6.0 | 间接依赖 | go |
| serve-static | 1.14.1 | 间接依赖 | npm |
| cookie-signature | 1.0.6 | 间接依赖 | npm |
| sigs.k8s.io/json | v0.0.0-20211020170558-c049b76a60c6 | 间接依赖 | go |
| unpipe | 1.0.0 | 间接依赖 | npm |
| express | 4.17.1 | 直接依赖 | npm |
| github.com/cenkalti/backoff | v2.2.1+incompatible | 直接依赖 | go |
| range-parser | 1.2.1 | 间接依赖 | npm |
| k8s.io/apimachinery | v0.23.16 | 直接依赖 | go |
| github.com/google/btree | v1.1.2 | 直接依赖 | go |
| uglify-js | 3.14.2 | 间接依赖 | npm |
| github.com/mohae/deepcopy | v0.0.0-20170308212314-bb9b5e7adda9 | 直接依赖 | go |
| github.com/modern-go/reflect2 | v1.0.2 | 间接依赖 | go |
| minimist | 1.2.8 | 间接依赖 | npm |
| wordwrap | 1.0.0 | 间接依赖 | npm |
| gopkg.in/tomb.v1 | v1.0.0-20141024135613-dd632973f1e7 | 间接依赖 | go |
| k8s.io/api | v0.23.16 | 直接依赖 | go |
| github.com/modern-go/concurrent | v0.0.0-20180306012644-bacd9c7ef1dd | 间接依赖 | go |
| sigs.k8s.io/structured-merge-diff/v4 | v4.2.3 | 间接依赖 | go |
| mime | 1.6.0 | 间接依赖 | npm |
| ipaddr.js | 1.9.1 | 间接依赖 | npm |
| rack-protection | 2.2.3 | 间接依赖 | bundler |
| finalhandler | 1.1.2 | 间接依赖 | npm |
| send | 0.17.1 | 间接依赖 | npm |
| k8s.io/kube-openapi | v0.0.0-20211115234752-e816edb12b65 | 间接依赖 | go |
| go.opencensus.io | v0.24.0 | 间接依赖 | go |
| github.com/gogo/protobuf | v1.3.2 | 直接依赖 | go |
| rack | 2.2.8 | 间接依赖 | bundler |
| utils-merge | 1.0.1 | 间接依赖 | npm |
| github.com/hashicorp/errwrap | v1.0.0 | 间接依赖 | go |
| neo-async | 2.6.2 | 间接依赖 | npm |
| github.com/containerd/console | v1.0.1 | 直接依赖 | go |
| fresh | 0.5.2 | 间接依赖 | npm |
| google.golang.org/appengine | v1.6.7 | 间接依赖 | go |
| sigs.k8s.io/yaml | v1.2.0 | 间接依赖 | go |
| encodeurl | 1.0.2 | 间接依赖 | npm |
| redis-errors | 1.2.0 | 间接依赖 | npm |
| google.golang.org/protobuf | v1.31.0 | 直接依赖 | go |
| github.com/containerd/ttrpc | v1.1.0 | 间接依赖 | go |
| k8s.io/klog/v2 | v2.30.0 | 间接依赖 | go |
| github.com/go-logr/logr | v1.2.0 | 间接依赖 | go |
| github.com/opencontainers/go-digest | v1.0.0 | 间接依赖 | go |
| nio4r | 2.5.9 | 间接依赖 | bundler |
| github.com/davecgh/go-spew | v1.1.1 | 间接依赖 | go |
| github.com/kr/pty | v1.1.1 | 直接依赖 | go |
| github.com/hanwen/go-fuse/v2 | v2.3.0 | 间接依赖 | go |
| golang.org/x/xerrors | v0.0.0-20220907171357-04be3eba64a2 | 间接依赖 | go |
| negotiator | 0.6.2 | 间接依赖 | npm |
| hbs | 4.1.2 | 直接依赖 | npm |
| github.com/hashicorp/go-multierror | v1.1.0 | 间接依赖 | go |
| mime-db | 1.49.0 | 间接依赖 | npm |
| github.com/containerd/typeurl | v1.0.2 | 直接依赖 | go |
| github.com/containerd/cgroups | v1.0.1 | 直接依赖 | go |
| sinatra | 2.2.3 | 间接依赖 | bundler |
| depd | 1.1.2 | 间接依赖 | npm |
| github.com/golang/groupcache | v0.0.0-20210331224755-41bb18bfe9da | 间接依赖 | go |
| raw-body | 2.4.0 | 间接依赖 | npm |
| github.com/Microsoft/hcsshim | v0.8.14 | 间接依赖 | go |
| github.com/containerd/containerd | v1.4.13 | 直接依赖 | go |
| source-map | 0.6.1 | 间接依赖 | npm |
| walk | 2.3.14 | 间接依赖 | npm |
| cookie | 0.4.0 | 间接依赖 | npm |
| denque | 1.5.1 | 间接依赖 | npm |
| vary | 1.1.2 | 间接依赖 | npm |
| github.com/json-iterator/go | v1.1.12 | 间接依赖 | go |
| type-is | 1.6.18 | 间接依赖 | npm |
| inherits | 2.0.3 | 间接依赖 | npm |
| github.com/containerd/go-runc | v1.0.0 | 直接依赖 | go |
| media-typer | 0.3.0 | 间接依赖 | npm |
| statuses | 1.5.0 | 间接依赖 | npm |
| gotest.tools/v3 | v3.4.0 | 间接依赖 | go |
| golang.org/x/mod | v0.13.0 | 直接依赖 | go |
| golang.org/x/term | v0.13.0 | 间接依赖 | go |
| google.golang.org/grpc | v1.53.0-dev.0.20230123225046-4075ef07c5d5 | 间接依赖 | go |
| redis-commands | 1.7.0 | 间接依赖 | npm |
| golang.org/x/sys | v0.13.0 | 直接依赖 | go |
| redis-parser | 2.6.0 | 间接依赖 | npm |
| forwarded | 0.2.0 | 间接依赖 | npm |
| ruby2_keywords | 0.0.5 | 间接依赖 | bundler |
| github.com/gofrs/flock | v0.8.0 | 直接依赖 | go |
| mime-types | 2.1.32 | 间接依赖 | npm |
| golang.org/x/exp | v0.0.0-20230725093048-515e97ebf090 | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20230110181048-76db0878b65f | 间接依赖 | go |
| accepts | 1.3.7 | 间接依赖 | npm |
| github.com/godbus/dbus/v5 | v5.1.0 | 直接依赖 | go |
| safe-buffer | 5.1.2 | 间接依赖 | npm |
| golang.org/x/oauth2 | v0.4.0 | 间接依赖 | go |
| tilt | 2.3.0 | 间接依赖 | bundler |
| redis | 3.1.2 | 直接依赖 | npm |
| golang.org/x/time | v0.3.0 | 直接依赖 | go |
| toidentifier | 1.0.0 | 间接依赖 | npm |
| github.com/golang/protobuf | v1.5.2 | 间接依赖 | go |
| safer-buffer | 2.1.2 | 间接依赖 | npm |
| ee-first | 1.1.1 | 间接依赖 | npm |
| setprototypeof | 1.1.1 | 间接依赖 | npm |
| handlebars | 4.7.7 | 间接依赖 | npm |
| http-errors | 1.7.2 | 间接依赖 | npm |
| github.com/containerd/continuity | v0.3.0 | 间接依赖 | go |
| secure-random-string | 1.1.3 | 直接依赖 | npm |
| github.com/syndtr/gocapability | v0.0.0-20200815063812-42c35b437635 | 直接依赖 | go |
| content-type | 1.0.4 | 间接依赖 | npm |
| gopkg.in/yaml.v2 | v2.4.0 | 间接依赖 | go |
| puma | 5.6.7 | 间接依赖 | bundler |
| github.com/cilium/ebpf | v0.9.3 | 直接依赖 | go |
| gopkg.in/yaml.v3 | v3.0.1 | 间接依赖 | go |
| github.com/google/go-cmp | v0.5.9 | 间接依赖 | go |
| github.com/mattbaird/jsonpatch | v0.0.0-20171005235357-81af80346b1a | 直接依赖 | go |
| parseurl | 1.3.3 | 间接依赖 | npm |
| golang.org/x/net | v0.17.0 | 间接依赖 | go |
| honnef.co/go/tools | v0.4.2 | 间接依赖 | go |
| github.com/google/subcommands | v1.0.2-0.20190508160503-636abe8753b8 | 直接依赖 | go |
| methods | 1.1.2 | 间接依赖 | npm |
| escape-html | 1.0.3 | 间接依赖 | npm |
| github.com/coreos/go-systemd/v22 | v22.5.0 | 直接依赖 | go |
| path-to-regexp | 0.1.7 | 间接依赖 | npm |
| content-disposition | 0.5.3 | 间接依赖 | npm |
| golang.org/x/text | v0.13.0 | 间接依赖 | go |
| mustermann | 2.0.2 | 间接依赖 | bundler |
| golang.org/x/tools | v0.14.0 | 直接依赖 | go |
| foreachasync | 3.0.0 | 间接依赖 | npm |
| ms | 2.0.0 | 间接依赖 | npm |
| github.com/opencontainers/runtime-spec | v1.1.0-rc.1 | 直接依赖 | go |
| golang.org/x/sync | v0.4.0 | 直接依赖 | go |
| github.com/pkg/errors | v0.9.1 | 间接依赖 | go |
| on-finished | 2.3.0 | 间接依赖 | npm |
| github.com/bazelbuild/rules_go | v0.38.1 | 直接依赖 | go |
| destroy | 1.0.4 | 间接依赖 | npm |
| k8s.io/client-go | v0.23.16 | 直接依赖 | go |
| bytes | 3.1.0 | 间接依赖 | npm |
| github.com/google/gofuzz | v1.1.0 | 间接依赖 | go |
| github.com/vishvananda/netns | v0.0.0-20200728191858-db3c7e526aae | 间接依赖 | go |
| github.com/googleapis/gnostic | v0.5.5 | 间接依赖 | go |
| github.com/sirupsen/logrus | v1.9.3 | 直接依赖 | go |
| etag | 1.8.1 | 间接依赖 | npm |
| proxy-addr | 2.0.7 | 间接依赖 | npm |
| github.com/containerd/fifo | v1.0.0 | 直接依赖 | go |
| qs | 6.7.0 | 间接依赖 | npm |
| github.com/BurntSushi/toml | v1.2.1 | 直接依赖 | go |