基础信息
项目名称:electrode-io/electrode-csrf-jwt
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721160111870705664/1730229810122149888
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Ajv v6.12.2 输入验证错误漏洞 | MAID | MPS-2020-10525 | CVE-2020-15366 | 中危 |
| Fastify 资源管理错误漏洞 | 拒绝服务 | MPS-2020-11068 | CVE-2020-8192 | 中危 |
| Delvedor find-my-way 环境问题漏洞 | HTTP请求走私 | MPS-2020-15455 | CVE-2020-7764 | 高危 |
| Fastify-Static 安全漏洞 | 跨站重定向 | MPS-2021-19248 | CVE-2021-22963 | 中危 |
| fastify 存在拒绝服务漏洞 | 拒绝服务 | MPS-2022-13675 | 中危 | |
| node-semver 安全漏洞 | ReDoS | MPS-2022-5166 | CVE-2022-25883 | 高危 |
| minimatch 资源管理错误漏洞 | 拒绝服务 | MPS-2022-59845 | CVE-2022-3517 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| find-my-way | 2.2.2 | 2.2.5 | 间接依赖 | 建议修复 |
| minimatch | 3.0.4 | 3.0.5 | 间接依赖 | 建议修复 |
| semver | 6.3.0 | 7.5.2 | 间接依赖 | 可选修复 |
| fastify-static | 2.6.0 | 4.4.1 | 直接依赖 | 可选修复 |
| ajv | 6.12.0 | 6.12.3 | 间接依赖 | 可选修复 |
| fastify | 2.13.1 | 2.15.1 | 直接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 62 | 低 |
| ISC | 11 | 低 |
| BSD-2-Clause | 1 | 低 |
| BSD-3-Clause | 3 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| semver-store | 0.3.0 | 间接依赖 | npm |
| glob | 7.1.6 | 间接依赖 | npm |
| fast-json-stringify | 1.20.1 | 间接依赖 | npm |
| fast-safe-stringify | 2.0.7 | 间接依赖 | npm |
| semver | 6.3.0 | 间接依赖 | npm |
| uri-js | 4.2.2 | 间接依赖 | npm |
| minimatch | 3.0.4 | 间接依赖 | npm |
| proxy-addr | 2.0.6 | 间接依赖 | npm |
| find-my-way | 2.2.2 | 间接依赖 | npm |
| abstract-logging | 2.0.0 | 间接依赖 | npm |
| ret | 0.2.2 | 间接依赖 | npm |
| fast-json-stable-stringify | 2.1.0 | 间接依赖 | npm |
| quick-format-unescaped | 3.0.3 | 间接依赖 | npm |
| path-is-absolute | 1.0.1 | 间接依赖 | npm |
| concat-map | 0.0.1 | 间接依赖 | npm |
| ipaddr.js | 1.9.1 | 间接依赖 | npm |
| json-schema-traverse | 0.4.1 | 间接依赖 | npm |
| fresh | 0.5.2 | 间接依赖 | npm |
| pino-std-serializers | 2.4.2 | 间接依赖 | npm |
| fastify-plugin | 1.6.1 | 间接依赖 | npm |
| inherits | 2.0.4 | 间接依赖 | npm |
| statuses | 1.4.0 | 间接依赖 | npm |
| atomic-sleep | 1.0.0 | 间接依赖 | npm |
| balanced-match | 1.0.0 | 间接依赖 | npm |
| readable-stream | 3.6.0 | 间接依赖 | npm |
| archy | 1.0.0 | 间接依赖 | npm |
| set-cookie-parser | 2.4.5 | 间接依赖 | npm |
| setprototypeof | 1.1.0 | 间接依赖 | npm |
| avvio | 6.4.1 | 间接依赖 | npm |
| safe-regex2 | 2.0.0 | 间接依赖 | npm |
| brace-expansion | 1.1.11 | 间接依赖 | npm |
| mime | 1.4.1 | 间接依赖 | npm |
| cookie | 0.4.0 | 间接依赖 | npm |
| secure-json-parse | 2.1.0 | 间接依赖 | npm |
| http-errors | 1.6.3 | 间接依赖 | npm |
| forwarded | 0.1.2 | 间接依赖 | npm |
| debug | 4.1.1 | 间接依赖 | npm |
| rfdc | 1.1.4 | 间接依赖 | npm |
| fastq | 1.7.0 | 间接依赖 | npm |
| fastify-cors | 3.0.3 | 直接依赖 | npm |
| light-my-request | 3.7.4 | 间接依赖 | npm |
| cookie-signature | 1.1.0 | 间接依赖 | npm |
| fastify-cookie | 3.6.0 | 直接依赖 | npm |
| fs.realpath | 1.0.0 | 间接依赖 | npm |
| sonic-boom | 0.7.7 | 间接依赖 | npm |
| etag | 1.8.1 | 间接依赖 | npm |
| fastify-static | 2.6.0 | 直接依赖 | npm |
| middie | 4.1.0 | 间接依赖 | npm |
| escape-html | 1.0.3 | 间接依赖 | npm |
| reusify | 1.0.4 | 间接依赖 | npm |
| on-finished | 2.3.0 | 间接依赖 | npm |
| fast-decode-uri-component | 1.0.1 | 间接依赖 | npm |
| range-parser | 1.2.1 | 间接依赖 | npm |
| fast-deep-equal | 3.1.1 | 间接依赖 | npm |
| send | 0.16.2 | 间接依赖 | npm |
| string_decoder | 1.3.0 | 间接依赖 | npm |
| ajv | 6.12.0 | 间接依赖 | npm |
| ms | 2.1.2 | 间接依赖 | npm |
| vary | 1.1.2 | 间接依赖 | npm |
| util-deprecate | 1.0.2 | 间接依赖 | npm |
| tiny-lru | 7.0.2 | 间接依赖 | npm |
| encodeurl | 1.0.2 | 间接依赖 | npm |
| ee-first | 1.1.1 | 间接依赖 | npm |
| deepmerge | 4.2.2 | 间接依赖 | npm |
| fastify | 2.13.1 | 直接依赖 | npm |
| inflight | 1.0.6 | 间接依赖 | npm |
| fast-redact | 2.0.0 | 间接依赖 | npm |
| depd | 1.1.2 | 间接依赖 | npm |
| punycode | 2.1.1 | 间接依赖 | npm |
| path-to-regexp | 4.0.5 | 间接依赖 | npm |
| wrappy | 1.0.2 | 间接依赖 | npm |
| pino | 5.17.0 | 间接依赖 | npm |
| string-similarity | 4.0.1 | 间接依赖 | npm |
| once | 1.4.0 | 间接依赖 | npm |
| destroy | 1.0.4 | 间接依赖 | npm |
| flatstr | 1.0.12 | 间接依赖 | npm |
| safe-buffer | 5.2.0 | 间接依赖 | npm |