基础信息
项目名称:ethyca/fides
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721171823575502848/1730251756591337472
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| loguru 代码注入漏洞 | 代码注入 | MPS-2022-1393 | CVE-2022-0329 | 严重 |
| httpx 存在输入验证不恰当漏洞 | 输入验证不恰当 | MPS-2022-14944 | 中危 | |
| Python 安全漏洞 | ReDoS | MPS-2022-57238 | CVE-2022-40897 | 中危 |
| OpenSSL 安全漏洞 | 加锁机制不恰当 | MPS-2022-64591 | CVE-2022-3996 | 高危 |
| OpenSSL 缓冲区错误漏洞 | 越界读取 | MPS-2022-65756 | CVE-2022-4203 | 中危 |
| OpenSSL 安全漏洞 | 通过差异性导致的信息暴露 | MPS-2022-66954 | CVE-2022-4304 | 中危 |
| OpenSSL 资源管理错误漏洞 | 双重释放 | MPS-2022-67892 | CVE-2022-4450 | 高危 |
| OpenSSL 资源管理错误漏洞 | UAF | MPS-2023-1276 | CVE-2023-0215 | 高危 |
| OpenSSL 代码问题漏洞 | 空指针取消引用 | MPS-2023-1277 | CVE-2023-0216 | 高危 |
| OpenSSL 代码问题漏洞 | 空指针取消引用 | MPS-2023-1278 | CVE-2023-0217 | 高危 |
| OpenSSL 代码问题漏洞 | 空指针取消引用 | MPS-2023-2153 | CVE-2023-0401 | 高危 |
| cryptography 代码问题漏洞 | 对因果或异常条件的不恰当检查 | MPS-2023-2194 | CVE-2023-23931 | 中危 |
| redis-py 存在信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2023-8854 | CVE-2023-28858 | 中危 |
| redis-py 存在信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2023-8855 | CVE-2023-28859 | 中危 |
| OpenSSL 代码问题漏洞 | 对因果或异常条件的不恰当检查 | MPS-7ch0-so2p | CVE-2023-5678 | 中危 |
| Apache Arrow PyArrow 任意代码执行 | 反序列化 | MPS-eck2-x5ys | CVE-2023-47248 | 高危 |
| cryptography | 空指针取消引用 | MPS-gt9j-ch43 | CVE-2023-49083 | 中危 |
| Requests Proxy-Authorization 标头泄露漏洞 | 未授权敏感信息泄露 | MPS-hr61-tzey | CVE-2023-32681 | 中危 |
| OpenSSL 安全漏洞 | 过度迭代 | MPS-n3pe-ljgc | CVE-2023-3817 | 中危 |
| python-cryptography 信任管理问题漏洞 | 证书验证不恰当 | MPS-sj5m-20tf | CVE-2023-38325 | 高危 |
| Torbot 安全漏洞 | ReDoS | MPS-t8zd-cij7 | CVE-2023-45813 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| loguru | 0.6.0 | 间接依赖 | 建议修复 | |
| pyarrow | 6.0.0 | 14.0.1 | 间接依赖 | 建议修复 |
| requests | 2.27.1 | 2.31.0 | 间接依赖 | 建议修复 |
| cryptography | 38.0.3 | 间接依赖 | 建议修复 | |
| validators | 0.20.0 | 0.21.0 | 间接依赖 | 可选修复 |
| redis | 3.5.3 | 4.5.3 | 间接依赖 | 可选修复 |
| setuptools | 64.0.2 | 65.5.1 | 间接依赖 | 可选修复 |
| httpx | 0.23.1 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 32 | 低 |
| Apache-2.0 | 12 | 低 |
| BSD-3-Clause | 2 | 低 |
| 自定义许可证 | 23 | 低 |
| Apache-2.0 OR BSD-3-Clause | 1 | 低 |
| GPL-1.0-or-later | 1 | 低 |
| LGPL-3.0 | 1 | 中 |
| GPL-2.0-or-later | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| isort | 5.12.0 | 间接依赖 | pip |
| hvac | 0.11.2 | 间接依赖 | pip |
| pyinstrument | 4.5.1 | 间接依赖 | pip |
| StringTypeConverter | 间接依赖 | pip | |
| pytest-cov | 4.0.0 | 间接依赖 | pip |
| dev-requirements.txt | 间接依赖 | pip | |
| ValidationError | 间接依赖 | pip | |
| b64_str_to_bytes | 间接依赖 | pip | |
| Jinja2 | 3.1.2 | 间接依赖 | pip |
| Any | 间接依赖 | pip | |
| Generator | 间接依赖 | pip | |
| cryptography | 38.0.3 | 间接依赖 | pip |
| pymongo | 3.13.0 | 间接依赖 | pip |
| Dataset | 间接依赖 | pip | |
| DataCategory | 间接依赖 | pip | |
| Iterator | 间接依赖 | pip | |
| requests | 2.27.1 | 间接依赖 | pip |
| FieldPath | 间接依赖 | pip | |
| colorama | 0.4.3 | 间接依赖 | pip |
| watchfiles | 0.19.0 | 间接依赖 | pip |
| pydash | 6.0.2 | 间接依赖 | pip |
| bytes_to_b64_str | 间接依赖 | pip | |
| types-paramiko | 3.0.0.10 | 间接依赖 | pip |
| docker_nox | 间接依赖 | pip | |
| AsyncSession | 间接依赖 | pip | |
| List | 间接依赖 | pip | |
| PrivacyRequest | 间接依赖 | pip | |
| APPROVER | 间接依赖 | pip | |
| importlib_resources | 5.12.0 | 间接依赖 | pip |
| PrivacyRequestStatus | 间接依赖 | pip | |
| StorageSecretsS3 | 间接依赖 | pip | |
| SafeStr | 间接依赖 | pip | |
| HEALTH | 间接依赖 | pip | |
| TraversalNode | 间接依赖 | pip | |
| PolicyPreWebhook | 间接依赖 | pip | |
| fideslog | 1.2.10 | 间接依赖 | pip |
| asyncpg | 0.27.0 | 间接依赖 | pip |
| Collection | 间接依赖 | pip | |
| environ | 间接依赖 | pip | |
| pyyaml | 6.0.1 | 间接依赖 | pip |
| pytest-asyncio | 0.19.0 | 间接依赖 | pip |
| loguru | 0.6.0 | 间接依赖 | pip |
| docs/fides/requirements.txt | 间接依赖 | pip | |
| StorageType | 间接依赖 | pip | |
| VIEWER | 间接依赖 | pip | |
| fides | 间接依赖 | pip | |
| packaging | 23.0 | 间接依赖 | pip |
| FidesopsRedis | 间接依赖 | pip | |
| sendgrid | 6.9.7 | 间接依赖 | pip |
| USER_PERMISSIONS | 间接依赖 | pip | |
| validators | 0.20.0 | 间接依赖 | pip |
| nox | 2022.8.7 | 间接依赖 | pip |
| ABC | 间接依赖 | pip | |
| requests-mock | 1.10.0 | 间接依赖 | pip |
| System | 间接依赖 | pip | |
| toml | 0.10.2 | 间接依赖 | pip |
| twilio | 7.15.0 | 间接依赖 | pip |
| mkdocs-render-swagger-plugin | 0.0.3 | 间接依赖 | pip |
| fastapi | 间接依赖 | pip | |
| okta | 2.7.0 | 间接依赖 | pip |
| FieldAddress | 间接依赖 | pip | |
| mike | 1.1.2 | 间接依赖 | pip |
| ROLES_TO_SCOPES_MAPPING | 间接依赖 | pip | |
| ThreadPoolExecutor | 间接依赖 | pip | |
| MASKED | 间接依赖 | pip | |
| user_exists | 间接依赖 | pip | |
| NoSuchStrategyException | 间接依赖 | pip | |
| Optional | 间接依赖 | pip | |
| DEFAULT_TAXONOMY | 间接依赖 | pip | |
| setuptools | 64.0.2 | 间接依赖 | pip |
| sqlalchemy-redshift | 0.8.11 | 间接依赖 | pip |
| mkdocs-material | 8.2.7 | 间接依赖 | pip |
| sqlalchemy-stubs | 0.4 | 间接依赖 | pip |
| Organization | 间接依赖 | pip | |
| expandvars | 0.9.0 | 间接依赖 | pip |
| KeyOrNameAlreadyExists | 间接依赖 | pip | |
| find_packages | 间接依赖 | pip | |
| mkdocs-click | 0.5.0 | 间接依赖 | pip |
| apscheduler | 间接依赖 | pip | |
| PolicyPostWebhook | 间接依赖 | pip | |
| func | 间接依赖 | pip | |
| redis | 3.5.3 | 间接依赖 | pip |
| Faker | 14.1.0 | 间接依赖 | pip |
| APScheduler | 3.9.1.post1 | 间接依赖 | pip |
| types-urllib3 | 1.26.23 | 间接依赖 | pip |
| mkdocs-minify-plugin | 0.4.0 | 间接依赖 | pip |
| slowapi | 0.1.8 | 间接依赖 | pip |
| models | 间接依赖 | pip | |
| ConnectionConfig | 间接依赖 | pip | |
| b64encode | 间接依赖 | pip | |
| multidimensional_urlencode | 0.0.4 | 间接依赖 | pip |
| CONTRIBUTOR | 间接依赖 | pip | |
| rich_click | 间接依赖 | pip | |
| types-ujson | 5.4.0 | 间接依赖 | pip |
| jose | 间接依赖 | pip | |
| timedelta | 间接依赖 | pip | |
| URL | 间接依赖 | pip | |
| ConnectionType | 间接依赖 | pip | |
| bson | 间接依赖 | pip | |
| Engine | 间接依赖 | pip | |
| pydantic | 1.10.9 | 间接依赖 | pip |
| pytest | 7.2.2 | 间接依赖 | pip |
| setup | 间接依赖 | pip | |
| paramiko | 3.1.0 | 间接依赖 | pip |
| b64decode | 间接依赖 | pip | |
| FullstoryTestClient | 间接依赖 | pip | |
| PhoneNumber | 间接依赖 | pip | |
| SaaSRequestParams | 间接依赖 | pip | |
| dask | 2022.9.2 | 间接依赖 | pip |
| Callable | 间接依赖 | pip | |
| pytest-env | 0.6.2 | 间接依赖 | pip |
| DrpAction | 间接依赖 | pip | |
| V1_URL_PREFIX | 间接依赖 | pip | |
| date | 间接依赖 | pip | |
| HTTPMethod | 间接依赖 | pip | |
| SQLAlchemy-Utils | 0.38.3 | 间接依赖 | pip |
| black | 23.1.0 | 间接依赖 | pip |
| CollectionMeta | 间接依赖 | pip | |
| fideslang | 2.2.2 | 间接依赖 | pip |
| Pii | 间接依赖 | pip | |
| Unidecode | 1.3.4 | 间接依赖 | pip |
| user_updated | 间接依赖 | pip | |
| HTTP_404_NOT_FOUND | 间接依赖 | pip | |
| FileSystemLoader | 间接依赖 | pip | |
| abstractmethod | 间接依赖 | pip | |
| ConnectionTestStatus | 间接依赖 | pip | |
| psycopg2-binary | 2.9.6 | 间接依赖 | pip |
| create_async_engine | 间接依赖 | pip | |
| versioneer | 0.19 | 间接依赖 | pip |
| deepdiff | 6.3.0 | 间接依赖 | pip |
| HubspotTestClient | 间接依赖 | pip | |
| CollectionAddress | 间接依赖 | pip | |
| PRIVACY_REQUESTS | 间接依赖 | pip | |
| sshtunnel | 0.4.0 | 间接依赖 | pip |
| defusedxml | 0.7.1 | 间接依赖 | pip |
| requirements.txt | 间接依赖 | pip | |
| FidesDatasetReference | 间接依赖 | pip | |
| iab-tcf | 0.2.2 | 间接依赖 | pip |
| httpx | 0.23.1 | 间接依赖 | pip |
| is_token_expired | 间接依赖 | pip | |
| pylint | 2.15.4 | 间接依赖 | pip |
| MASKING_READ | 间接依赖 | pip | |
| sqlalchemy-citext | 1.8.0 | 间接依赖 | pip |
| extract_payload | 间接依赖 | pip | |
| Environment | 间接依赖 | pip | |
| openpyxl | 3.0.9 | 间接依赖 | pip |
| firebase-admin | 5.3.0 | 间接依赖 | pip |
| Traversal | 间接依赖 | pip | |
| ExecutionLog | 间接依赖 | pip | |
| pre-commit | 2.20.0 | 间接依赖 | pip |
| MAPPED_SPECIAL_PURPOSES | 间接依赖 | pip | |
| types-toml | 0.10.8 | 间接依赖 | pip |
| GitPython | 3.1.35 | 间接依赖 | pip |
| sqlalchemy | 间接依赖 | pip | |
| snowflake-sqlalchemy | 1.4.3 | 间接依赖 | pip |
| HTTP_200_OK | 间接依赖 | pip | |
| as_completed | 间接依赖 | pip | |
| OWNER | 间接依赖 | pip | |
| getcwd | 间接依赖 | pip | |
| Request | 间接依赖 | pip | |
| pyarrow | 6.0.0 | 间接依赖 | pip |
| rich-click | 1.6.1 | 间接依赖 | pip |
| MAPPED_PURPOSES | 间接依赖 | pip | |
| USER_PERMISSION_CREATE | 间接依赖 | pip | |
| DataType | 间接依赖 | pip | |
| PreparedRequest | 间接依赖 | pip | |
| mypy | 0.981 | 间接依赖 | pip |
| anyio | 3.7.1 | 间接依赖 | pip |
| boto3 | 1.26.1 | 间接依赖 | pip |
| pandas | 1.4.3 | 间接依赖 | pip |
| types-redis | 4.3.4 | 间接依赖 | pip |
| pymssql | 2.2.8 | 间接依赖 | pip |
| MASKING_EXEC | 间接依赖 | pip | |
| PyJWT | 2.4.0 | 间接依赖 | pip |
| tests | 间接依赖 | pip | |
| alembic | 1.8.1 | 间接依赖 | pip |
| ID_VERIFICATION_CONFIG | 间接依赖 | pip | |
| ActionType | 间接依赖 | pip | |
| KeyValidationError | 间接依赖 | pip | |
| PyMySQL | 1.0.2 | 间接依赖 | pip |
| plotly | 5.13.1 | 间接依赖 | pip |
| USER_DELETE | 间接依赖 | pip | |
| xenon | 0.9.0 | 间接依赖 | pip |
| types-PyYAML | 6.0.11 | 间接依赖 | pip |
| Dict | 间接依赖 | pip | |
| sqlalchemy-bigquery | 1.4.4 | 间接依赖 | pip |
| get_cache | 间接依赖 | pip | |
| debugpy | 1.6.3 | 间接依赖 | pip |