基础信息
项目名称:dpgaspar/Flask-AppBuilder
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721145775496364032/1729298233049436160
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Pallets Werkzeug 缓冲区错误漏洞 | 越界写入 | MPS-17rl-c20o | CVE-2023-46136 | 高危 |
| Python 加密问题漏洞 | 密码算法不安全 | MPS-2022-8618 | CVE-2022-29217 | 高危 |
| Pallets Werkzeug 安全漏洞 | 输入验证不恰当 | MPS-2023-2197 | CVE-2023-23934 | 低危 |
| Pallets Werkzeug 安全漏洞 | 不加限制或调节的资源分配 | MPS-2023-4282 | CVE-2023-25577 | 高危 |
| Requests Proxy-Authorization 标头泄露漏洞 | 未授权敏感信息泄露 | MPS-hr61-tzey | CVE-2023-32681 | 中危 |
| Flask 安全漏洞 | 通过持久性Cookie导致的信息暴露 | MPS-y7qk-6aom | CVE-2023-30861 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| requests | 2.26.0 | 2.31.0 | 间接依赖 | 建议修复 |
| pyjwt | 2.3.0 | 2.4.0 | 间接依赖 | 建议修复 |
| werkzeug | 2.0.3 | 3.0.1 | 间接依赖 | 建议修复 |
| flask | 2.0.3 | 2.3.2 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 33 | 低 |
| 自定义许可证 | 14 | 低 |
| Apache-2.0 | 6 | 低 |
| BSD-3-Clause | 6 | 低 |
| ISC | 2 | 低 |
| LGPL-3.0 | 2 | 中 |
| GPL-2.0 | 1 | 中 |
| AGPL-3.0 | 1 | 高 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| ANY | 间接依赖 | pip | |
| ordered-set | 4.1.0 | 间接依赖 | pip |
| psycopg2-binary | 2.9.6 | 间接依赖 | pip |
| Type | 间接依赖 | pip | |
| flask-babel | 2.0.0 | 间接依赖 | pip |
| bootstrap-datepicker | 1.10.0 | 间接依赖 | npm |
| BaseFilterConverter | 间接依赖 | pip | |
| sphinxcontrib-blockdiag | 1.5.0 | 间接依赖 | pip |
| flask | 2.0.3 | 间接依赖 | pip |
| flask-wtf | 0.14.3 | 间接依赖 | pip |
| mypy | 0.910 | 间接依赖 | pip |
| black | 23.10.0 | 间接依赖 | pip |
| pkgutil-resolve-name | 1.3.10 | 间接依赖 | pip |
| List | 间接依赖 | pip | |
| app | 间接依赖 | pip | |
| pyjwt | 2.3.0 | 间接依赖 | pip |
| flask-limiter | 3.2.0 | 间接依赖 | pip |
| yaml_utils | 间接依赖 | pip | |
| marshmallow-sqlalchemy | 0.26.1 | 间接依赖 | pip |
| as_unicode | 间接依赖 | pip | |
| has_access | 间接依赖 | pip | |
| wrapt | 1.15.0 | 间接依赖 | pip |
| bootstrap | 3.4.1 | 间接依赖 | npm |
| greenlet | 3.0.0 | 间接依赖 | pip |
| sqlalchemy | 1.4.29 | 间接依赖 | pip |
| CountryStats | 间接依赖 | pip | |
| importlib-metadata | 6.8.0 | 间接依赖 | pip |
| QuerySelectField | 间接依赖 | pip | |
| ModelView | 间接依赖 | pip | |
| fields | 间接依赖 | pip | |
| sphinx-rtd-theme | 0.2.4 | 间接依赖 | pip |
| Authlib | 1.2.1 | 间接依赖 | pip |
| pyodbc | 5.0.1 | 间接依赖 | pip |
| attrs | 21.4.0 | 间接依赖 | pip |
| limits | 3.6.0 | 间接依赖 | pip |
| APISpec | 间接依赖 | pip | |
| flask-sqlalchemy | 2.5.1 | 间接依赖 | pip |
| world-flags-sprite | 0.0.2 | 间接依赖 | npm |
| Datacenter | 间接依赖 | pip | |
| marshmallow-enum | 1.5.1 | 间接依赖 | pip |
| jquery | 3.6.0 | 间接依赖 | npm |
| make_response | 间接依赖 | pip | |
| Integer | 间接依赖 | pip | |
| flash | 间接依赖 | pip | |
| pyyaml | 6.0.1 | 间接依赖 | pip |
| flask_babel | 间接依赖 | pip | |
| importlib-resources | 6.1.0 | 间接依赖 | pip |
| ImageOps | 间接依赖 | pip | |
| Contact | 间接依赖 | pip | |
| Image | 间接依赖 | pip | |
| expose | 间接依赖 | pip | |
| Gender | 间接依赖 | pip | |
| rich | 13.6.0 | 间接依赖 | pip |
| Any | 间接依赖 | pip | |
| jsonschema | 3.2.0 | 间接依赖 | pip |
| DirectChartWidget | 间接依赖 | pip | |
| ContactSubGroup | 间接依赖 | pip | |
| Response | 间接依赖 | pip | |
| SQLA | 间接依赖 | pip | |
| apispec | 间接依赖 | pip | |
| BaseFilter | 间接依赖 | pip | |
| pygments | 2.16.1 | 间接依赖 | pip |
| Permission | 间接依赖 | pip | |
| select2-bootstrap-theme | 0.1.0-beta.10 | 间接依赖 | npm |
| models | 间接依赖 | pip | |
| deprecated | 1.2.14 | 间接依赖 | pip |
| types-PyYAML | 6.0.12.2 | 间接依赖 | pip |
| typing-extensions | 4.8.0 | 间接依赖 | pip |
| packaging | 23.2 | 间接依赖 | pip |
| Flask | 间接依赖 | pip | |
| marshmallow | 3.15.0 | 间接依赖 | pip |
| flask-openid | 1.3.0 | 间接依赖 | pip |
| itsdangerous | 2.1.1 | 间接依赖 | pip |
| GroupByChartView | 间接依赖 | pip | |
| flask-jwt-extended | 4.3.1 | 间接依赖 | pip |
| dnspython | 2.2.1 | 间接依赖 | pip |
| flask-login | 0.4.1 | 间接依赖 | pip |
| relationship | 间接依赖 | pip | |
| mongoengine | 0.27.0 | 间接依赖 | pip |
| coverage | 5.5 | 间接依赖 | pip |
| Role | 间接依赖 | pip | |
| Optional | 间接依赖 | pip | |
| backref | 间接依赖 | pip | |
| python-dateutil | 2.8.2 | 间接依赖 | pip |
| Dict | 间接依赖 | pip | |
| MagicMock | 间接依赖 | pip | |
| colorama | 0.4.4 | 间接依赖 | pip |
| ContactGroup | 间接依赖 | pip | |
| url_for | 间接依赖 | pip | |
| Date | 间接依赖 | pip | |
| @fortawesome/fontawesome-free | 6.2.1 | 间接依赖 | npm |
| MAX_PAGE_SIZE | 间接依赖 | pip | |
| prison | 0.2.1 | 间接依赖 | pip |
| BaseView | 间接依赖 | pip | |
| object | 间接依赖 | pip | |
| wtforms | 2.3.3 | 间接依赖 | pip |
| Form | 间接依赖 | pip | |
| jsonschema-specifications | 2023.7.1 | 间接依赖 | pip |
| setup | 间接依赖 | pip | |
| ModelRestApi | 间接依赖 | pip | |
| click | 8.0.4 | 间接依赖 | pip |
| markdown-it-py | 3.0.0 | 间接依赖 | pip |
| babel | 2.9.1 | 间接依赖 | pip |
| Inventory | 间接依赖 | pip | |
| AppBuilder | 间接依赖 | pip | |
| mysqlclient | 2.0.1 | 间接依赖 | pip |
| aggregate_avg | 间接依赖 | pip | |
| werkzeug | 2.0.3 | 间接依赖 | pip |
| flask_appbuilder | 间接依赖 | pip | |
| jinja2 | 3.0.3 | 间接依赖 | pip |
| has_request_context | 间接依赖 | pip | |
| Markup | 间接依赖 | pip | |
| db | 间接依赖 | pip | |
| flake8 | 3.9.2 | 间接依赖 | pip |
| find_packages | 间接依赖 | pip | |
| string_types | 间接依赖 | pip | |
| parameterized | 0.8.1 | 间接依赖 | pip |
| flake8-import-order | 0.18.1 | 间接依赖 | pip |
| patch | 间接依赖 | pip | |
| PASSWORD_ADMIN | 间接依赖 | pip | |
| pyrsistent | 0.18.1 | 间接依赖 | pip |
| zipp | 3.17.0 | 间接依赖 | pip |
| referencing | 0.30.2 | 间接依赖 | pip |
| ValidationError | 间接依赖 | pip | |
| hiro | 0.5.1 | 间接依赖 | pip |
| ForeignKey | 间接依赖 | pip | |
| six | 1.16.0 | 间接依赖 | pip |
| tox | 3.24.3 | 间接依赖 | pip |
| cython | 0.29.17 | 间接依赖 | pip |
| select2 | 4.0.13 | 间接依赖 | npm |
| sqlalchemy-utils | 0.37.8 | 间接依赖 | pip |
| request | 间接依赖 | pip | |
| IndexView | 间接依赖 | pip | |
| markupsafe | 2.1.1 | 间接依赖 | pip |
| aggregate_sum | 间接依赖 | pip | |
| Callable | 间接依赖 | pip | |
| appbuilder | 间接依赖 | pip | |
| requests | 2.26.0 | 间接依赖 | pip |
| mdurl | 0.1.2 | 间接依赖 | pip |
| pymongo | 4.5.0 | 间接依赖 | pip |
| flask-mongoengine | 1.0.0 | 间接依赖 | pip |
| String | 间接依赖 | pip | |
| jmespath | 0.9.5 | 间接依赖 | pip |
| rpds-py | 0.10.6 | 间接依赖 | pip |
| Field | 间接依赖 | pip | |
| python-ldap | 3.4.3 | 间接依赖 | pip |
| views | 间接依赖 | pip | |
| ChartWidget | 间接依赖 | pip | |
| email-validator | 1.1.3 | 间接依赖 | pip |
| Country | 间接依赖 | pip | |
| pip-tools | 6.8.0 | 间接依赖 | pip |
| idna | 3.3 | 间接依赖 | pip |
| EnumField | 间接依赖 | pip | |
| mypy-extensions | 0.4.3 | 间接依赖 | pip |
| pytz | 2021.1 | 间接依赖 | pip |
| Column | 间接依赖 | pip |