基础信息
项目名称:eolinker/apinto
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721166108693696512/1730246329261056000
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| go-restful 安全漏洞 | 通过用户控制密钥绕过授权机制 | MPS-2022-17334 | CVE-2022-1996 | 严重 |
| Google Golang 资源管理错误漏洞 | MPS-2022-58307 | CVE-2022-41723 | 高危 | |
| Google Go 权限许可和访问控制问题漏洞 | 权限管理不当 | MPS-2022-9049 | CVE-2022-29526 | 中危 |
| Google Golang 资源管理错误漏洞 | 拒绝服务 | MPS-c8am-hbny | CVE-2023-39325 | 高危 |
| CVE-2023-47108漏洞 | 不加限制或调节的资源分配 | MPS-lrfd-7kb6 | CVE-2023-47108 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| github.com/emicklei/go-restful/v3 | v3.7.4 | 3.8.0 | 间接依赖 | 建议修复 |
| golang.org/x/net | v0.0.0-20211112202133-69e39bad7dc2 | 0.17.0 | 间接依赖 | 建议修复 |
| golang.org/x/net | v0.10.0 | 0.17.0 | 直接依赖 | 可选修复 |
| golang.org/x/net | v0.8.0 | 0.17.0 | 间接依赖 | 可选修复 |
| golang.org/x/sys | v0.0.0-20220412211240-33da011f77ad | 0.1.0 | 间接依赖 | 可选修复 |
| go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.25.0 | 0.46.0 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 84 | 低 |
| MIT | 78 | 低 |
| BSD-3-Clause | 46 | 低 |
| BSD-2-Clause | 9 | 低 |
| MPL-2.0 | 12 | 低 |
| EPL-1.0 | 1 | 低 |
| ISC | 1 | 低 |
| BSD-2-Clause-Views | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| github.com/opentracing/opentracing-go | v1.2.0 | 间接依赖 | go |
| github.com/ugorji/go/codec | v1.2.6 | 间接依赖 | go |
| github.com/cncf/udpa/go | v0.0.0-20210930031921-04548b0d99d4 | 间接依赖 | go |
| github.com/go-playground/validator/v10 | v10.11.0 | 间接依赖 | go |
| github.com/apache/dubbo-getty | v1.4.8 | 间接依赖 | go |
| github.com/robfig/cron/v3 | v3.0.1 | 间接依赖 | go |
| github.com/jonboulle/clockwork | v0.2.2 | 间接依赖 | go |
| github.com/polarismesh/polaris-go | v1.1.0 | 直接依赖 | go |
| github.com/davecgh/go-spew | v1.1.1 | 间接依赖 | go |
| go.etcd.io/etcd/client/pkg/v3 | v3.5.4 | 间接依赖 | go |
| golang.org/x/sys | v0.8.0 | 间接依赖 | go |
| github.com/shirou/gopsutil/v3 | v3.22.2 | 间接依赖 | go |
| github.com/hashicorp/errwrap | v1.1.0 | 间接依赖 | go |
| go.uber.org/zap | v1.23.0 | 直接依赖 | go |
| github.com/pkg/sftp | v1.13.4 | 直接依赖 | go |
| github.com/nacos-group/nacos-sdk-go/v2 | v2.2.3 | 直接依赖 | go |
| github.com/kr/fs | v0.1.0 | 间接依赖 | go |
| gopkg.in/ini.v1 | v1.66.2 | 间接依赖 | go |
| github.com/hashicorp/go-immutable-radix | v1.3.1 | 间接依赖 | go |
| github.com/go-logfmt/logfmt | v0.5.0 | 间接依赖 | go |
| github.com/hashicorp/go-rootcerts | v1.0.2 | 间接依赖 | go |
| github.com/google/btree | v1.0.1 | 间接依赖 | go |
| github.com/yusufpapurcu/wmi | v1.2.2 | 间接依赖 | go |
| github.com/stretchr/objx | v0.5.0 | 间接依赖 | go |
| github.com/urfave/cli/v2 | v2.23.4 | 直接依赖 | go |
| go.etcd.io/etcd/server/v3 | v3.5.7 | 间接依赖 | go |
| github.com/hashicorp/vault/sdk | v0.3.0 | 间接依赖 | go |
| github.com/alibaba/sentinel-golang | v1.0.4 | 间接依赖 | go |
| github.com/gogo/protobuf | v1.3.2 | 间接依赖 | go |
| github.com/ghodss/yaml | v1.0.0 | 间接依赖 | go |
| github.com/spaolacci/murmur3 | v1.1.0 | 间接依赖 | go |
| github.com/jcmturner/aescts/v2 | v2.0.0 | 间接依赖 | go |
| github.com/mattn/go-colorable | v0.1.7 | 间接依赖 | go |
| github.com/robertkrimen/otto | v0.0.0-20211024170158-b87d35c0b86f | 直接依赖 | go |
| golang.org/x/crypto | v0.7.0 | 直接依赖 | go |
| github.com/census-instrumentation/opencensus-proto | v0.2.1 | 间接依赖 | go |
| github.com/pierrec/lz4 | v2.5.2+incompatible | 间接依赖 | go |
| gopkg.in/sourcemap.v1 | v1.0.5 | 间接依赖 | go |
| github.com/tklauser/go-sysconf | v0.3.10 | 间接依赖 | go |
| github.com/golang/snappy | v0.0.4 | 直接依赖 | go |
| go.etcd.io/etcd/raft/v3 | v3.5.7 | 间接依赖 | go |
| golang.org/x/sys | v0.0.0-20220412211240-33da011f77ad | 间接依赖 | go |
| github.com/rcrowley/go-metrics | v0.0.0-20201227073835-cf1acfcdf475 | 间接依赖 | go |
| dubbo.apache.org/dubbo-go/v3 | v3.0.2-0.20220519062747-f6405fa79d5c | 直接依赖 | go |
| github.com/zouyx/agollo/v3 | v3.4.5 | 间接依赖 | go |
| gopkg.in/yaml.v2 | v2.4.0 | 间接依赖 | go |
| github.com/fsnotify/fsnotify | v1.5.4 | 间接依赖 | go |
| github.com/golang-jwt/jwt/v4 | v4.4.2 | 间接依赖 | go |
| github.com/dubbogo/gost | v1.13.1 | 直接依赖 | go |
| github.com/go-co-op/gocron | v1.9.0 | 间接依赖 | go |
| google.golang.org/grpc | v1.53.0 | 直接依赖 | go |
| github.com/eapache/go-xerial-snappy | v0.0.0-20180814174437-776d5712da21 | 间接依赖 | go |
| github.com/deepmap/oapi-codegen | v1.8.2 | 间接依赖 | go |
| go.opencensus.io | v0.23.0 | 间接依赖 | go |
| github.com/nsqio/go-nsq | v1.1.0 | 直接依赖 | go |
| golang.org/x/net | v0.10.0 | 直接依赖 | go |
| github.com/aliyun/alibaba-cloud-sdk-go | v1.61.1704 | 间接依赖 | go |
| github.com/spf13/pflag | v1.0.5 | 间接依赖 | go |
| github.com/mattn/go-isatty | v0.0.14 | 间接依赖 | go |
| github.com/modern-go/reflect2 | v1.0.2 | 间接依赖 | go |
| golang.org/x/time | v0.1.0 | 间接依赖 | go |
| github.com/golang/mock | v1.6.0 | 间接依赖 | go |
| golang.org/x/net | v0.8.0 | 间接依赖 | go |
| github.com/grpc-ecosystem/go-grpc-prometheus | v1.2.0 | 间接依赖 | go |
| golang.org/x/sync | v0.1.0 | 间接依赖 | go |
| github.com/leodido/go-urn | v1.2.1 | 间接依赖 | go |
| github.com/go-logr/stdr | v1.2.2 | 间接依赖 | go |
| github.com/tklauser/numcpus | v0.2.2 | 间接依赖 | go |
| github.com/hashicorp/golang-lru | v0.5.4 | 间接依赖 | go |
| github.com/Workiva/go-datastructures | v1.0.52 | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20230110181048-76db0878b65f | 间接依赖 | go |
| golang.org/x/net | v0.0.0-20211112202133-69e39bad7dc2 | 间接依赖 | go |
| github.com/pelletier/go-toml | v1.7.0 | 间接依赖 | go |
| github.com/cncf/xds/go | v0.0.0-20211011173535-cb28da3451f1 | 间接依赖 | go |
| github.com/mitchellh/mapstructure | v1.5.0 | 间接依赖 | go |
| github.com/emicklei/go-restful/v3 | v3.7.4 | 间接依赖 | go |
| github.com/uber/jaeger-client-go | v2.29.1+incompatible | 间接依赖 | go |
| github.com/dubbogo/triple | v1.1.8 | 间接依赖 | go |
| github.com/go-playground/locales | v0.14.0 | 间接依赖 | go |
| github.com/grpc-ecosystem/grpc-gateway | v1.16.0 | 直接依赖 | go |
| github.com/go-ole/go-ole | v1.2.4 | 间接依赖 | go |
| github.com/afex/hystrix-go | v0.0.0-20180502004556-fa1af6a1f4f5 | 间接依赖 | go |
| github.com/Shopify/sarama | v1.32.0 | 直接依赖 | go |
| github.com/beorn7/perks | v1.0.1 | 间接依赖 | go |
| golang.org/x/crypto | v0.0.0-20211215153901-e495a2d5b3d3 | 间接依赖 | go |
| golang.org/x/text | v0.8.0 | 直接依赖 | go |
| github.com/dubbogo/go-zookeeper | v1.0.4-0.20211212162352-f9d2183d89d5 | 间接依赖 | go |
| github.com/bits-and-blooms/bitset | v1.2.0 | 间接依赖 | go |
| github.com/coreos/go-systemd/v22 | v22.3.2 | 间接依赖 | go |
| github.com/hashicorp/consul/api | v1.9.1 | 直接依赖 | go |
| go.opentelemetry.io/otel/trace | v1.7.0 | 间接依赖 | go |
| github.com/dubbogo/gost | v1.11.25 | 间接依赖 | go |
| github.com/spf13/cast | v1.3.0 | 间接依赖 | go |
| cloud.google.com/go | v0.65.0 | 间接依赖 | go |
| golang.org/x/oauth2 | v0.0.0-20211104180415-d3ed0bb246c8 | 间接依赖 | go |
| golang.org/x/sync | v0.0.0-20210220032951-036812b2e83c | 间接依赖 | go |
| github.com/go-playground/universal-translator | v0.18.0 | 间接依赖 | go |
| github.com/cpuguy83/go-md2man/v2 | v2.0.2 | 间接依赖 | go |
| github.com/fullstorydev/grpcurl | v1.8.7 | 直接依赖 | go |
| github.com/mitchellh/copystructure | v1.2.0 | 间接依赖 | go |
| github.com/julienschmidt/httprouter | v1.3.0 | 间接依赖 | go |
| github.com/go-logr/logr | v1.2.3 | 间接依赖 | go |
| github.com/influxdata/line-protocol | v0.0.0-20200327222509-2487e7298839 | 间接依赖 | go |
| github.com/go-kit/log | v0.1.0 | 间接依赖 | go |
| github.com/mschoch/smat | v0.2.0 | 间接依赖 | go |
| github.com/pkg/errors | v0.9.1 | 直接依赖 | go |
| github.com/satori/go.uuid | v1.2.1-0.20181028125025-b2ce2384e17b | 间接依赖 | go |
| go.uber.org/multierr | v1.6.0 | 间接依赖 | go |
| github.com/fatih/color | v1.9.0 | 间接依赖 | go |
| github.com/aliyun/alibaba-cloud-sdk-go | v1.61.18 | 间接依赖 | go |
| github.com/shirou/gopsutil | v3.20.11+incompatible | 间接依赖 | go |
| github.com/subosito/gotenv | v1.2.0 | 间接依赖 | go |
| go.etcd.io/etcd/client/v2 | v2.305.7 | 间接依赖 | go |
| github.com/nacos-group/nacos-sdk-go | v1.1.1 | 间接依赖 | go |
| github.com/cespare/xxhash/v2 | v2.1.2 | 间接依赖 | go |
| github.com/coocood/freecache | v1.2.2 | 直接依赖 | go |
| github.com/creasty/defaults | v1.5.2 | 间接依赖 | go |
| github.com/jhump/protoreflect | v1.14.1 | 直接依赖 | go |
| github.com/k0kubun/pp | v3.0.1+incompatible | 间接依赖 | go |
| gopkg.in/ini.v1 | v1.51.0 | 间接依赖 | go |
| github.com/shirou/gopsutil/v3 | v3.21.6 | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20230306155012-7f2fa6fef1f4 | 间接依赖 | go |
| github.com/lufia/plan9stats | v0.0.0-20211012122336-39d0f177ccd0 | 间接依赖 | go |
| github.com/hashicorp/go-uuid | v1.0.2 | 间接依赖 | go |
| github.com/xiang90/probing | v0.0.0-20190116061207-43a291ad63a2 | 间接依赖 | go |
| github.com/spf13/afero | v1.2.2 | 间接依赖 | go |
| github.com/spf13/jwalterweatherman | v1.0.0 | 间接依赖 | go |
| github.com/modern-go/concurrent | v0.0.0-20180306012644-bacd9c7ef1dd | 间接依赖 | go |
| github.com/savsgio/gotils | v0.0.0-20211223103454-d0aaa54c5899 | 间接依赖 | go |
| github.com/hashicorp/go-multierror | v1.1.1 | 间接依赖 | go |
| github.com/cespare/xxhash/v2 | v2.2.0 | 间接依赖 | go |
| github.com/envoyproxy/go-control-plane | v0.10.1 | 间接依赖 | go |
| github.com/RoaringBitmap/roaring | v0.7.1 | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20211104193956-4c6863e31247 | 间接依赖 | go |
| github.com/golang/groupcache | v0.0.0-20210331224755-41bb18bfe9da | 间接依赖 | go |
| go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.25.0 | 间接依赖 | go |
| github.com/russross/blackfriday/v2 | v2.1.0 | 间接依赖 | go |
| github.com/valyala/bytebufferpool | v1.0.0 | 间接依赖 | go |
| github.com/magiconair/properties | v1.8.6 | 间接依赖 | go |
| github.com/ohler55/ojg | v1.12.9 | 直接依赖 | go |
| github.com/go-redis/redis/v8 | v8.11.5 | 直接依赖 | go |
| github.com/envoyproxy/protoc-gen-validate | v0.1.0 | 间接依赖 | go |
| github.com/dubbogo/grpc-go | v1.42.9 | 间接依赖 | go |
| github.com/armon/go-metrics | v0.3.9 | 间接依赖 | go |
| github.com/apache/dubbo-go-hessian2 | v1.11.0 | 直接依赖 | go |
| github.com/matttproud/golang_protobuf_extensions | v1.0.1 | 间接依赖 | go |
| github.com/jcmturner/dnsutils/v2 | v2.0.0 | 间接依赖 | go |
| github.com/valyala/fasthttp | v1.47.0 | 直接依赖 | go |
| github.com/eapache/go-resiliency | v1.2.0 | 间接依赖 | go |
| github.com/coreos/go-semver | v0.3.0 | 间接依赖 | go |
| golang.org/x/sys | v0.6.0 | 间接依赖 | go |
| golang.org/x/text | v0.9.0 | 间接依赖 | go |
| github.com/jmespath/go-jmespath | v0.4.0 | 间接依赖 | go |
| github.com/prometheus/client_golang | v1.12.1 | 间接依赖 | go |
| github.com/mitchellh/reflectwalk | v1.0.2 | 间接依赖 | go |
| google.golang.org/appengine | v1.6.6 | 间接依赖 | go |
| github.com/prometheus/statsd_exporter | v0.21.0 | 间接依赖 | go |
| github.com/eolinker/eosc | v0.15.2 | 直接依赖 | go |
| github.com/prometheus/client_golang | v1.12.2 | 直接依赖 | go |
| github.com/apache/dubbo-go-hessian2 | v1.11.6 | 直接依赖 | go |
| go.etcd.io/etcd/api/v3 | v3.5.7 | 间接依赖 | go |
| github.com/golang/protobuf | v1.5.3 | 直接依赖 | go |
| github.com/fasthttp/websocket | v1.5.0 | 直接依赖 | go |
| google.golang.org/grpc | v1.55.0 | 直接依赖 | go |
| github.com/hashicorp/go-hclog | v0.16.2 | 间接依赖 | go |
| github.com/go-ole/go-ole | v1.2.6 | 间接依赖 | go |
| github.com/dgryski/go-rendezvous | v0.0.0-20200823014737-9f7001d12a5f | 间接依赖 | go |
| github.com/dustin/go-humanize | v1.0.0 | 间接依赖 | go |
| contrib.go.opencensus.io/exporter/prometheus | v0.4.1 | 间接依赖 | go |
| github.com/eapache/queue | v1.1.0 | 间接依赖 | go |
| github.com/golang/protobuf | v1.5.2 | 间接依赖 | go |
| github.com/influxdata/influxdb-client-go/v2 | v2.12.1 | 直接依赖 | go |
| google.golang.org/grpc | v1.45.0 | 间接依赖 | go |
| github.com/jcmturner/gokrb5/v8 | v8.4.2 | 间接依赖 | go |
| go.uber.org/atomic | v1.9.0 | 直接依赖 | go |
| github.com/knadh/koanf | v1.4.1 | 间接依赖 | go |
| github.com/tklauser/numcpus | v0.4.0 | 间接依赖 | go |
| github.com/grpc-ecosystem/go-grpc-middleware | v1.3.0 | 间接依赖 | go |
| github.com/klauspost/compress | v1.16.3 | 间接依赖 | go |
| go.etcd.io/etcd/api/v3 | v3.5.4 | 间接依赖 | go |
| google.golang.org/protobuf | v1.30.0 | 直接依赖 | go |
| github.com/natefinch/lumberjack | v2.0.0+incompatible | 间接依赖 | go |
| google.golang.org/protobuf | v1.28.1 | 直接依赖 | go |
| github.com/uber/jaeger-lib | v2.4.1+incompatible | 间接依赖 | go |
| github.com/grpc-ecosystem/grpc-opentracing | v0.0.0-20180507213350-8e809c8a8645 | 间接依赖 | go |
| go.opentelemetry.io/otel | v1.7.0 | 间接依赖 | go |
| github.com/soheilhy/cmux | v0.1.5 | 直接依赖 | go |
| github.com/prometheus/procfs | v0.7.3 | 间接依赖 | go |
| github.com/mattn/go-colorable | v0.1.8 | 间接依赖 | go |
| github.com/jcmturner/rpc/v2 | v2.0.3 | 间接依赖 | go |
| github.com/brianvoe/gofakeit/v6 | v6.20.1 | 直接依赖 | go |
| github.com/jcmturner/gofork | v1.0.0 | 间接依赖 | go |
| github.com/prometheus/common | v0.32.1 | 间接依赖 | go |
| github.com/xrash/smetrics | v0.0.0-20201216005158-039620a65673 | 间接依赖 | go |
| golang.org/x/text | v0.3.7 | 间接依赖 | go |
| github.com/google/uuid | v1.3.0 | 直接依赖 | go |
| github.com/hashicorp/serf | v0.9.5 | 间接依赖 | go |
| github.com/prometheus/client_model | v0.2.0 | 间接依赖 | go |
| github.com/mitchellh/go-homedir | v1.1.0 | 间接依赖 | go |
| github.com/StackExchange/wmi | v0.0.0-20190523213315-cbe66965904d | 间接依赖 | go |
| github.com/spf13/viper | v1.7.1 | 间接依赖 | go |
| go.etcd.io/etcd/client/v3 | v3.5.7 | 间接依赖 | go |
| github.com/json-iterator/go | v1.1.12 | 间接依赖 | go |
| gopkg.in/natefinch/lumberjack.v2 | v2.0.0 | 间接依赖 | go |
| github.com/jinzhu/copier | v0.3.5 | 间接依赖 | go |
| github.com/power-devops/perfstat | v0.0.0-20210106213030-5aafc221ea8c | 间接依赖 | go |
| github.com/clbanning/mxj | v1.8.4 | 直接依赖 | go |
| github.com/hashicorp/hcl | v1.0.0 | 间接依赖 | go |
| github.com/tklauser/go-sysconf | v0.3.6 | 间接依赖 | go |
| github.com/golang/mock | v1.5.0 | 间接依赖 | go |
| go.etcd.io/etcd/client/pkg/v3 | v3.5.7 | 间接依赖 | go |
| github.com/gorilla/websocket | v1.4.2 | 直接依赖 | go |
| github.com/hashicorp/go-cleanhttp | v0.5.1 | 间接依赖 | go |
| go.etcd.io/bbolt | v1.3.7 | 间接依赖 | go |
| google.golang.org/protobuf | v1.28.0 | 间接依赖 | go |
| go.etcd.io/etcd/client/v3 | v3.5.4 | 间接依赖 | go |
| go.uber.org/zap | v1.21.0 | 间接依赖 | go |
| github.com/buger/jsonparser | v1.1.1 | 间接依赖 | go |
| github.com/andybalholm/brotli | v1.0.5 | 间接依赖 | go |
| github.com/go-resty/resty/v2 | v2.7.0 | 间接依赖 | go |
| go.etcd.io/etcd/pkg/v3 | v3.5.7 | 间接依赖 | go |
| github.com/go-errors/errors | v1.0.1 | 间接依赖 | go |
| github.com/pierrec/lz4 | v2.6.1+incompatible | 间接依赖 | go |