基础信息
项目名称:cgrates/cgrates
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721081358880673792/1729163685236531200
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| jwt-go 安全漏洞 | 授权检查缺失 | MPS-2020-13786 | CVE-2020-26160 | 高危 |
| urllib3 安全漏洞 | MPS-46py-nxai | CVE-2023-45803 | 中危 | |
| PyPI仓库charset-normalizer组件包内嵌恶意代码 | 内嵌恶意代码 | MPS-67h0-j1fr | 高危 | |
| Certifi 数据伪造问题漏洞 | 对数据真实性的验证不充分 | MPS-ck78-r6zg | CVE-2023-37920 | 严重 |
| Requests Proxy-Authorization 标头泄露漏洞 | 未授权敏感信息泄露 | MPS-hr61-tzey | CVE-2023-32681 | 中危 |
| urllib3 HTTP重定向信息泄露漏洞 | 未授权敏感信息泄露 | MPS-s0oy-afbw | CVE-2023-43804 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| charset-normalizer | 3.1.0 | 间接依赖 | 强烈建议修复 | |
| certifi | 2023.5.7 | 2023.7.22 | 间接依赖 | 建议修复 |
| github.com/dgrijalva/jwt-go | v3.2.0+incompatible | 4.0.0-preview1 | 直接依赖 | 建议修复 |
| urllib3 | 2.0.2 | 2.0.7 | 间接依赖 | 建议修复 |
| requests | 2.30.0 | 2.31.0 | 间接依赖 | 建议修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 38 | 低 |
| MIT | 46 | 低 |
| MPL-2.0 | 2 | 低 |
| 自定义许可证 | 8 | 低 |
| BSD-3-Clause | 28 | 低 |
| BSD-2-Clause | 4 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| google.golang.org/genproto/googleapis/rpc | v0.0.0-20231030173426-d783a09b4405 | 间接依赖 | go |
| github.com/blevesearch/zap/v15 | v15.0.3 | 间接依赖 | go |
| github.com/dgrijalva/jwt-go | v3.2.0+incompatible | 直接依赖 | go |
| github.com/go-sql-driver/mysql | v1.7.1 | 直接依赖 | go |
| sphinxcontrib-qthelp | 1.0.3 | 间接依赖 | pip |
| github.com/ericlagergren/decimal | v0.0.0-20221120152707-495c53812d05 | 直接依赖 | go |
| github.com/cgrates/baningo | v0.0.0-20210413080722-004ffd5e429f | 直接依赖 | go |
| github.com/rabbitmq/amqp091-go | v1.9.0 | 直接依赖 | go |
| github.com/mschoch/smat | v0.2.0 | 间接依赖 | go |
| sphinxcontrib-applehelp | 1.0.4 | 间接依赖 | pip |
| github.com/jinzhu/now | v1.1.5 | 间接依赖 | go |
| sphinxcontrib-jsmath | 1.0.1 | 间接依赖 | pip |
| urllib3 | 2.0.2 | 间接依赖 | pip |
| github.com/xdg-go/pbkdf2 | v1.0.0 | 间接依赖 | go |
| github.com/googleapis/gax-go/v2 | v2.12.0 | 间接依赖 | go |
| github.com/nats-io/nuid | v1.0.1 | 间接依赖 | go |
| github.com/philhofer/fwd | v1.1.1 | 间接依赖 | go |
| google.golang.org/protobuf | v1.31.0 | 间接依赖 | go |
| github.com/blevesearch/go-porterstemmer | v1.0.3 | 间接依赖 | go |
| go.opencensus.io | v0.24.0 | 间接依赖 | go |
| github.com/blevesearch/bleve | v1.0.14 | 直接依赖 | go |
| github.com/fsnotify/fsnotify | v1.7.0 | 直接依赖 | go |
| github.com/jinzhu/inflection | v1.0.0 | 间接依赖 | go |
| sphinxcontrib-serializinghtml | 1.1.5 | 间接依赖 | pip |
| gorm.io/gorm | v1.25.5 | 直接依赖 | go |
| jinja2 | 3.1.2 | 间接依赖 | pip |
| github.com/mediocregopher/radix/v3 | v3.8.1 | 直接依赖 | go |
| github.com/golang/protobuf | v1.5.3 | 间接依赖 | go |
| packaging | 23.1 | 间接依赖 | pip |
| sphinxcontrib-htmlhelp | 2.0.1 | 间接依赖 | pip |
| golang.org/x/crypto | v0.14.0 | 直接依赖 | go |
| github.com/nats-io/jwt/v2 | v2.5.3 | 间接依赖 | go |
| github.com/blevesearch/segment | v0.9.0 | 间接依赖 | go |
| github.com/gorhill/cronexpr | v0.0.0-20180427100037-88b0669f7d75 | 直接依赖 | go |
| github.com/jackc/pgpassfile | v1.0.0 | 间接依赖 | go |
| github.com/googleapis/enterprise-certificate-proxy | v0.3.2 | 间接依赖 | go |
| github.com/miekg/dns | v1.1.56 | 直接依赖 | go |
| github.com/jackc/pgservicefile | v0.0.0-20221227161230-091c0ba34f0a | 间接依赖 | go |
| github.com/aws/aws-sdk-go | v1.47.4 | 直接依赖 | go |
| golang.org/x/sys | v0.14.0 | 间接依赖 | go |
| sphinx-tabs | 3.4.1 | 间接依赖 | pip |
| github.com/tinylib/msgp | v1.1.5 | 间接依赖 | go |
| cloud.google.com/go/compute/metadata | v0.2.3 | 间接依赖 | go |
| github.com/cgrates/ugocodec | v0.0.0-20201023092048-df93d0123f60 | 直接依赖 | go |
| github.com/youmark/pkcs8 | v0.0.0-20181117223130-1be2e3e5546d | 间接依赖 | go |
| github.com/golang/snappy | v0.0.4 | 间接依赖 | go |
| github.com/blevesearch/zap/v12 | v12.0.14 | 间接依赖 | go |
| github.com/cgrates/kamevapi | v0.0.0-20220525160402-5b8036487a6c | 直接依赖 | go |
| markupsafe | 2.1.2 | 间接依赖 | pip |
| github.com/syndtr/goleveldb | v1.0.0 | 间接依赖 | go |
| sphinx-copybutton | 0.5.2 | 间接依赖 | pip |
| go.etcd.io/bbolt | v1.3.5 | 间接依赖 | go |
| gorm.io/driver/mysql | v1.5.2 | 直接依赖 | go |
| github.com/google/uuid | v1.4.0 | 间接依赖 | go |
| zipp | 3.15.0 | 间接依赖 | pip |
| github.com/cgrates/fsock | v0.0.0-20230123160954-12cae14030cc | 直接依赖 | go |
| github.com/nyaruka/phonenumbers | v1.1.8 | 直接依赖 | go |
| github.com/couchbase/vellum | v1.0.2 | 间接依赖 | go |
| github.com/klauspost/compress | v1.17.2 | 间接依赖 | go |
| github.com/peterh/liner | v1.2.2 | 直接依赖 | go |
| go.mongodb.org/mongo-driver | v1.12.1 | 直接依赖 | go |
| github.com/blevesearch/snowballstem | v0.9.0 | 间接依赖 | go |
| github.com/segmentio/kafka-go | v0.4.44 | 直接依赖 | go |
| github.com/antchfx/xmlquery | v1.3.18 | 直接依赖 | go |
| github.com/steveyen/gtreap | v0.1.0 | 间接依赖 | go |
| github.com/xdg-go/scram | v1.1.2 | 间接依赖 | go |
| github.com/nats-io/nats-server/v2 | v2.10.4 | 直接依赖 | go |
| github.com/creack/pty | v1.1.20 | 直接依赖 | go |
| github.com/jackc/pgx/v5 | v5.5.0 | 间接依赖 | go |
| github.com/pierrec/lz4/v4 | v4.1.18 | 间接依赖 | go |
| github.com/cgrates/radigo | v0.0.0-20231107162145-dac6e5c377ea | 直接依赖 | go |
| github.com/minio/highwayhash | v1.0.2 | 间接依赖 | go |
| sphinxcontrib-devhelp | 1.0.2 | 间接依赖 | pip |
| github.com/cgrates/rpcclient | v0.0.0-20230605090759-8bb5188b73e5 | 直接依赖 | go |
| github.com/rivo/uniseg | v0.4.4 | 间接依赖 | go |
| google.golang.org/appengine | v1.6.8 | 间接依赖 | go |
| golang.org/x/sync | v0.5.0 | 间接依赖 | go |
| babel | 2.12.1 | 间接依赖 | pip |
| sphinx-rtd-theme | 1.2.0 | 间接依赖 | pip |
| github.com/cgrates/ltcache | v0.0.0-20210405185848-da943e80c1ab | 直接依赖 | go |
| imagesize | 1.4.1 | 间接依赖 | pip |
| alabaster | 0.7.13 | 间接依赖 | pip |
| golang.org/x/tools | v0.14.0 | 间接依赖 | go |
| github.com/cgrates/aringo | v0.0.0-20220525160735-b5990313d99e | 直接依赖 | go |
| github.com/xdg-go/stringprep | v1.0.4 | 间接依赖 | go |
| docutils | 0.18.1 | 间接依赖 | pip |
| golang.org/x/net | v0.17.0 | 直接依赖 | go |
| github.com/mattn/go-runewidth | v0.0.15 | 间接依赖 | go |
| github.com/google/s2a-go | v0.1.7 | 间接依赖 | go |
| sphinxcontrib-jquery | 4.1 | 间接依赖 | pip |
| certifi | 2023.5.7 | 间接依赖 | pip |
| github.com/glycerine/go-unsnap-stream | v0.0.0-20190901134440-81cf024a9e0a | 间接依赖 | go |
| golang.org/x/xerrors | v0.0.0-20231012003039-104605ab7028 | 间接依赖 | go |
| github.com/elastic/go-elasticsearch/v8 | v8.10.1 | 直接依赖 | go |
| github.com/blevesearch/zap/v13 | v13.0.6 | 间接依赖 | go |
| importlib-metadata | 6.6.0 | 间接依赖 | pip |
| sphinx_rtd_theme | 1.2.0 | 间接依赖 | pip |
| cloud.google.com/go/compute | v1.23.1 | 间接依赖 | go |
| github.com/blevesearch/zap/v11 | v11.0.14 | 间接依赖 | go |
| github.com/cenkalti/hub | v1.0.1 | 间接依赖 | go |
| github.com/cgrates/birpc | v1.3.1-0.20211117095917-5b0ff29f3084 | 直接依赖 | go |
| github.com/mitchellh/mapstructure | v1.5.0 | 直接依赖 | go |
| google.golang.org/grpc | v1.59.0 | 间接依赖 | go |
| github.com/jackc/puddle/v2 | v2.2.1 | 间接依赖 | go |
| golang.org/x/mod | v0.14.0 | 间接依赖 | go |
| google.golang.org/api | v0.150.0 | 直接依赖 | go |
| github.com/ishidawataru/sctp | v0.0.0-20191218070446-00ab2ac2db07 | 间接依赖 | go |
| github.com/blevesearch/mmap-go | v1.0.2 | 间接依赖 | go |
| sphinx | 6.2.1 | 间接依赖 | pip |
| pygments | 2.15.1 | 间接依赖 | pip |
| github.com/nats-io/nkeys | v0.4.6 | 间接依赖 | go |
| github.com/RoaringBitmap/roaring | v0.5.5 | 间接依赖 | go |
| requests | 2.30.0 | 间接依赖 | pip |
| github.com/cgrates/sipingo | v1.0.1-0.20200514112313-699ebc1cdb8e | 直接依赖 | go |
| github.com/nats-io/nats.go | v1.31.0 | 直接依赖 | go |
| github.com/couchbase/ghistogram | v0.1.0 | 间接依赖 | go |
| github.com/willf/bitset | v1.1.11 | 间接依赖 | go |
| github.com/montanaflynn/stats | v0.0.0-20171201202039-1bf9dbcd8cbe | 间接依赖 | go |
| golang.org/x/time | v0.4.0 | 间接依赖 | go |
| github.com/blevesearch/zap/v14 | v14.0.5 | 间接依赖 | go |
| idna | 3.4 | 间接依赖 | pip |
| github.com/antchfx/xpath | v1.2.5 | 间接依赖 | go |
| github.com/couchbase/moss | v0.1.0 | 间接依赖 | go |
| gorm.io/driver/postgres | v1.5.4 | 直接依赖 | go |
| sphinx_tabs | 3.4.1 | 间接依赖 | pip |
| github.com/golang/groupcache | v0.0.0-20210331224755-41bb18bfe9da | 间接依赖 | go |
| golang.org/x/text | v0.14.0 | 间接依赖 | go |
| golang.org/x/oauth2 | v0.13.0 | 直接依赖 | go |
| github.com/jmespath/go-jmespath | v0.4.0 | 间接依赖 | go |
| charset-normalizer | 3.1.0 | 间接依赖 | pip |
| github.com/Azure/go-amqp | v1.0.2 | 直接依赖 | go |
| github.com/fiorix/go-diameter/v4 | v4.0.4 | 直接依赖 | go |
| github.com/elastic/elastic-transport-go/v8 | v8.3.0 | 直接依赖 | go |
| snowballstemmer | 2.2.0 | 间接依赖 | pip |
| sphinx_copybutton | 0.5.2 | 间接依赖 | pip |