基础信息
项目名称:jbosstm/narayana
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721297979179565056/1744266525545193472
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| JSoup 跨站脚本漏洞 | XSS | MPS-2017-10843 | CVE-2015-6748 | 中危 |
| jsoup | 不可达退出条件的循环(无限循环) | MPS-2021-17634 | CVE-2021-37714 | 高危 |
| Apache Commons IO 存在路径遍历漏洞 | 路径遍历 | MPS-2021-4531 | CVE-2021-29425 | 中危 |
| commons-codec:commons-codec 存在信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2022-11853 | 低危 | |
| io.netty:netty-handler 存在证书验证不恰当漏洞 | 证书验证不恰当 | MPS-2022-12067 | 中危 | |
| Hazelcast | XXE | MPS-2022-1589 | CVE-2022-0265 | 严重 |
| jsoup | XSS | MPS-2022-51547 | CVE-2022-36033 | 中危 |
| Hazelcast 安全漏洞 | 凭证保护不足 | MPS-8wc3-pyfm | CVE-2023-33264 | 中危 |
| Netty 资源管理错误漏洞 | 不加限制或调节的资源分配 | MPS-9u07-bna1 | CVE-2023-34462 | 中危 |
| Hazelcast 安全漏洞 | 授权检查缺失 | MPS-p0db-hun3 | CVE-2023-33265 | 高危 |
| 【存在争议】FasterXML jackson-databind 代码问题漏洞 | 不加限制或调节的资源分配 | MPS-z1bx-p8y2 | CVE-2023-35116 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| io.netty:netty-handler | 4.1.89.Final | 间接依赖 | 建议修复 | |
| com.fasterxml.jackson.core:jackson-databind | 2.14.0 | 间接依赖 | 建议修复 | |
| com.hazelcast:hazelcast | 3.12.13 | 5.3.0 | 间接依赖 | 建议修复 |
| commons-codec:commons-codec | 1.11 | 1.13 | 间接依赖 | 可选修复 |
| org.jsoup:jsoup | 1.7.2 | 1.15.3 | 间接依赖 | 可选修复 |
| commons-io:commons-io | 2.5 | 2.7 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 113 | 低 |
| LGPL-2.1 | 22 | 中 |
| 自定义许可证 | 13 | 低 |
| GPL-2.0-with-classpath-exception | 1 | 中 |
| EPL-2.0 | 13 | 低 |
| EPL-1.0 | 4 | 低 |
| BSD-3-Clause | 1 | 低 |
| MIT | 3 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| org.apache.maven.resolver:maven-resolver-connector-basic | 1.4.1 | 间接依赖 | maven |
| org.jboss.arquillian.core:arquillian-core-impl-base | 1.7.0.Final | 间接依赖 | maven |
| org.jboss.arquillian.test:arquillian-test-impl-base | 1.7.0.Final | 间接依赖 | maven |
| io.smallrye.config:smallrye-config-common | 3.2.0 | 间接依赖 | maven |
| org.jboss.byteman:byteman | 4.0.19 | 直接依赖 | maven |
| libm.so.1 | 间接依赖 | ||
| io.netty:netty-common | 4.1.89.Final | 间接依赖 | maven |
| org.hamcrest:hamcrest-core | 1.3 | 间接依赖 | maven |
| io.smallrye.common:smallrye-common-annotation | 2.1.0 | 间接依赖 | maven |
| org.apache.maven:maven-resolver-provider | 3.6.3 | 间接依赖 | maven |
| org.jboss.logging:jboss-logging | 3.5.0.Final | 直接依赖 | maven |
| io.smallrye.config:smallrye-config | 3.2.0 | 直接依赖 | maven |
| org.apache.maven.wagon:wagon-http-shared | 2.12 | 间接依赖 | maven |
| jakarta.ws.rs:jakarta.ws.rs-api | 3.1.0 | 直接依赖 | maven |
| org.jboss.logging:jboss-logging | 3.1.4.GA | 直接依赖 | maven |
| org.jboss.narayana.rts:restat-api | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.apache.maven:maven-model | 3.6.3 | 间接依赖 | maven |
| jakarta.annotation:jakarta.annotation-api | 2.1.1 | 直接依赖 | maven |
| org.jboss.narayana.xts:bridge | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.narayana.jta:cdi | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-spi-maven-archive | 3.1.4 | 间接依赖 | maven |
| org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api-base | 2.0.0 | 间接依赖 | maven |
| jakarta.activation:jakarta.activation-api | 2.1.0 | 间接依赖 | maven |
| org.jboss.narayana.jts:jtax | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.arquillian.core:arquillian-core-spi | 1.7.0.Final | 间接依赖 | maven |
| org.eclipse.sisu:org.eclipse.sisu.plexus | 0.3.4 | 间接依赖 | maven |
| org.apache.maven:maven-settings-builder | 3.6.3 | 间接依赖 | maven |
| org.apache.commons:commons-lang3 | 3.8.1 | 间接依赖 | maven |
| io.smallrye.config:smallrye-config-core | 3.2.0 | 间接依赖 | maven |
| jakarta.xml.bind:jakarta.xml.bind-api | 4.0.0 | 直接依赖 | maven |
| org.apache.activemq:activemq-artemis-native | 2.0.0 | 间接依赖 | maven |
| org.jboss.narayana.xts:wsas | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.narayana.jts:idlj-idl-openjdk | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.narayana.jts:narayana-jts-integration | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.resteasy:resteasy-core | 6.2.5.Final | 间接依赖 | maven |
| org.jboss.resteasy:resteasy-jackson2-provider | 6.2.5.Final | 直接依赖 | maven |
| org.apache.httpcomponents:httpclient | 4.5.14 | 间接依赖 | maven |
| org.eclipse.microprofile.lra:microprofile-lra-tck | 2.0 | 直接依赖 | maven |
| io.smallrye.common:smallrye-common-expression | 2.1.0 | 间接依赖 | maven |
| io.netty:netty-handler | 4.1.89.Final | 间接依赖 | maven |
| io.netty:netty-resolver-dns | 4.1.89.Final | 间接依赖 | maven |
| commons-logging:commons-logging | 1.2 | 间接依赖 | maven |
| SHLWAPI.dll | 间接依赖 | ||
| org.jboss.narayana.xts:jbossxts | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| io.netty:netty-buffer | 4.1.94.Final | 间接依赖 | maven |
| io.smallrye.common:smallrye-common-constraint | 2.1.0 | 间接依赖 | maven |
| org.apache.maven:maven-repository-metadata | 3.6.3 | 间接依赖 | maven |
| org.codehaus.plexus:plexus-interpolation | 1.25 | 间接依赖 | maven |
| libpthread.so.0 | 间接依赖 | ||
| org.apache.maven:maven-artifact | 3.6.3 | 间接依赖 | maven |
| io.netty:netty-codec-http | 4.1.89.Final | 间接依赖 | maven |
| org.jctools:jctools-core | 2.1.2 | 间接依赖 | maven |
| org.eclipse.microprofile.fault-tolerance:microprofile-fault-tolerance-api | 4.0.2 | 直接依赖 | maven |
| org.jboss.narayana.xts:wscf11 | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| libsocket.so.1 | 间接依赖 | ||
| org.jboss.arquillian.test:arquillian-test-api | 1.7.0.Final | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-databind | 2.14.0 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-annotations | 2.14.0 | 间接依赖 | maven |
| org.jboss.narayana.jta:jta | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.arquillian.junit:arquillian-junit-container | 1.7.0.Final | 直接依赖 | maven |
| org.jboss.weld.se:weld-se-shaded | 5.0.1.Final | 直接依赖 | maven |
| org.jboss.arquillian.container:arquillian-container-test-spi | 1.7.0.Final | 间接依赖 | maven |
| cygstdc++-6.dll | 间接依赖 | ||
| org.eclipse.microprofile.reactive-streams-operators:microprofile-reactive-streams-operators-api | 3.0 | 直接依赖 | maven |
| org.jboss.narayana.jts:orbportability | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| jakarta.json:jakarta.json-api | 2.0.1 | 直接依赖 | maven |
| commons-codec:commons-codec | 1.11 | 间接依赖 | maven |
| org.codehaus.plexus:plexus-compiler-javac | 2.7 | 间接依赖 | maven |
| org.jboss.arquillian.container:arquillian-container-test-impl-base | 1.7.0.Final | 间接依赖 | maven |
| org.jboss.narayana:jbosstxbridge | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| io.netty:netty-handler-proxy | 4.1.89.Final | 间接依赖 | maven |
| org.jboss.narayana.xts:wstx11 | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.apache.httpcomponents:httpcore | 4.4.16 | 间接依赖 | maven |
| org.codehaus.plexus:plexus-utils | 3.2.1 | 间接依赖 | maven |
| org.jboss.threads:jboss-threads | 2.4.0.Final | 直接依赖 | maven |
| junit:junit | 4.13.1 | 直接依赖 | maven |
| org.sonatype.plexus:plexus-cipher | 1.4 | 间接依赖 | maven |
| io.netty:netty-transport-native-unix-common | 4.1.89.Final | 间接依赖 | maven |
| org.jboss.arquillian.container:arquillian-container-impl-base | 1.7.0.Final | 间接依赖 | maven |
| jakarta.transaction:jakarta.transaction-api | 2.0.1 | 直接依赖 | maven |
| org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-spi | 2.0.0 | 间接依赖 | maven |
| org.jboss.narayana.rts:lra-client | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-spi-maven | 3.1.4 | 间接依赖 | maven |
| org.eclipse.sisu:org.eclipse.sisu.inject | 0.3.4 | 间接依赖 | maven |
| commons-collections:commons-collections | 3.2.2 | 间接依赖 | maven |
| jakarta.el:jakarta.el-api | 5.0.0 | 间接依赖 | maven |
| org.eclipse.microprofile.lra:microprofile-lra-api | 2.0 | 直接依赖 | maven |
| io.netty:netty-codec-http2 | 4.1.89.Final | 间接依赖 | maven |
| org.jboss.shrinkwrap:shrinkwrap-impl-base | 1.2.6 | 间接依赖 | maven |
| KERNEL32.dll | 间接依赖 | ||
| org.apache.maven:maven-model-builder | 3.6.3 | 间接依赖 | maven |
| io.netty:netty-codec-dns | 4.1.89.Final | 间接依赖 | maven |
| io.vertx:vertx-hazelcast | 3.9.15 | 直接依赖 | maven |
| org.apache.activemq:artemis-commons | 2.30.0 | 间接依赖 | maven |
| jakarta.xml.soap:jakarta.xml.soap-api | 3.0.0 | 间接依赖 | maven |
| org.reactivestreams:reactive-streams | 1.0.3 | 间接依赖 | maven |
| org.jboss.narayana.rts:lra-service-base | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.apache.maven.resolver:maven-resolver-spi | 1.4.1 | 间接依赖 | maven |
| org.hamcrest:hamcrest-all | 1.3 | 间接依赖 | maven |
| org.jboss.narayana.jts:jts | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| jakarta.jms:jakarta.jms-api | 3.1.0 | 直接依赖 | maven |
| org.wildfly.common:wildfly-common | 1.3.0.Final | 间接依赖 | maven |
| org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-impl-maven | 3.1.4 | 直接依赖 | maven |
| org.jboss.arquillian.core:arquillian-core-api | 1.7.0.Final | 间接依赖 | maven |
| jakarta.inject:jakarta.inject-api | 2.0.1 | 直接依赖 | maven |
| org.jboss.narayana.jta:jdbc | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| libnsl.so.1 | 间接依赖 | ||
| org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-api-maven | 3.1.4 | 间接依赖 | maven |
| org.jboss.arquillian.config:arquillian-config-spi | 1.7.0.Final | 间接依赖 | maven |
| org.jboss.narayana.rts:restat-util | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.narayana.rts:restat-web | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.ow2.asm:asm | 9.4 | 间接依赖 | maven |
| org.jboss.resteasy:resteasy-client | 6.2.5.Final | 直接依赖 | maven |
| libpthread.so.1 | 间接依赖 | ||
| org.jboss.arquillian.junit:arquillian-junit-core | 1.7.0.Final | 间接依赖 | maven |
| io.netty:netty-codec-socks | 4.1.89.Final | 间接依赖 | maven |
| com.hazelcast:hazelcast | 3.12.13 | 间接依赖 | maven |
| org.jboss.narayana.xts:ws-c11 | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.arquillian.config:arquillian-config-api | 1.7.0.Final | 间接依赖 | maven |
| org.apache.maven.wagon:wagon-file | 3.3.4 | 间接依赖 | maven |
| org.codehaus.plexus:plexus-compiler-api | 2.7 | 间接依赖 | maven |
| org.jboss.invocation:jboss-invocation | 2.0.0.Final | 直接依赖 | maven |
| jakarta.annotation:jakarta.annotation-api | 2.1.0 | 间接依赖 | maven |
| org.jboss.narayana.stm:stm | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| jakarta.servlet:jakarta.servlet-api | 6.0.0 | 直接依赖 | maven |
| org.jboss.narayana.jta:jms | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| io.vertx:vertx-core | 3.9.15 | 直接依赖 | maven |
| org.jboss.narayana.arjunacore:arjunacore-services | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| jakarta.interceptor:jakarta.interceptor-api | 2.1.0 | 直接依赖 | maven |
| org.jboss.byteman:byteman-submit | 4.0.19 | 直接依赖 | maven |
| org.apache.maven.wagon:wagon-http-lightweight | 2.12 | 间接依赖 | maven |
| org.eclipse.microprofile.config:microprofile-config-api | 3.0.2 | 直接依赖 | maven |
| org.jboss.narayana:common | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-api-maven-archive | 3.1.4 | 间接依赖 | maven |
| org.apache.maven.resolver:maven-resolver-transport-wagon | 1.4.1 | 间接依赖 | maven |
| io.netty:netty-common | 4.1.94.Final | 间接依赖 | maven |
| org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-impl-maven-archive | 3.1.4 | 直接依赖 | maven |
| org.jsoup:jsoup | 1.7.2 | 间接依赖 | maven |
| org.glassfish.grizzly:grizzly-npn-api | 1.0 | 直接依赖 | maven |
| io.netty:netty-resolver | 4.1.89.Final | 间接依赖 | maven |
| org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-spi | 3.1.4 | 间接依赖 | maven |
| org.slf4j:slf4j-api | 1.7.29 | 间接依赖 | maven |
| org.apache.activemq:artemis-journal | 2.30.0 | 直接依赖 | maven |
| org.apache.maven.resolver:maven-resolver-api | 1.4.1 | 间接依赖 | maven |
| org.jboss.shrinkwrap:shrinkwrap-api | 1.2.6 | 间接依赖 | maven |
| org.jboss.arquillian.container:arquillian-container-test-api | 1.7.0.Final | 间接依赖 | maven |
| librt.so.1 | 间接依赖 | ||
| org.jboss.resteasy:resteasy-client-api | 6.2.5.Final | 间接依赖 | maven |
| org.jboss.narayana.arjunacore:arjuna | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| commons-io:commons-io | 2.5 | 间接依赖 | maven |
| org.jboss.narayana.xts:service | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| io.smallrye.common:smallrye-common-classloader | 2.1.0 | 间接依赖 | maven |
| org.jboss.narayana.rts:lra-proxy-api | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| cygwin1.dll | 间接依赖 | ||
| org.jboss.arquillian.container:arquillian-container-spi | 1.7.0.Final | 间接依赖 | maven |
| org.jboss.logging:jboss-logging-annotations | 2.2.1.Final | 间接依赖 | maven |
| jakarta.enterprise:jakarta.enterprise.cdi-api | 4.0.0 | 直接依赖 | maven |
| org.slf4j:slf4j-api | 1.7.36 | 间接依赖 | maven |
| org.apache.maven:maven-settings | 3.6.3 | 间接依赖 | maven |
| org.sonatype.plexus:plexus-sec-dispatcher | 1.4 | 间接依赖 | maven |
| org.jboss.narayana.rts:lra-coordinator-jar | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.arquillian.test:arquillian-test-spi | 1.7.0.Final | 间接依赖 | maven |
| io.netty:netty-codec | 4.1.89.Final | 间接依赖 | maven |
| ADVAPI32.dll | 间接依赖 | ||
| libc.so.1 | 间接依赖 | ||
| javax.inject:javax.inject | 1 | 间接依赖 | maven |
| io.netty:netty-transport | 4.1.89.Final | 间接依赖 | maven |
| jakarta.xml.ws:jakarta.xml.ws-api | 4.0.0 | 直接依赖 | maven |
| commons-beanutils:commons-beanutils | 1.9.4 | 间接依赖 | maven |
| libc.so.6 | 间接依赖 | ||
| com.fasterxml.jackson.core:jackson-core | 2.14.0 | 间接依赖 | maven |
| org.jboss.narayana.arjunacore:arjunacore | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| io.smallrye.common:smallrye-common-function | 2.1.0 | 间接依赖 | maven |
| org.jboss.narayana.jta:narayana-jta | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| jakarta.resource:jakarta.resource-api | 2.0.0 | 直接依赖 | maven |
| jakarta.enterprise:jakarta.enterprise.lang-model | 4.0.0 | 间接依赖 | maven |
| org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-api | 3.1.4 | 直接依赖 | maven |
| org.jboss.jdeparser:jdeparser | 2.0.3.Final | 间接依赖 | maven |
| org.apache.maven.wagon:wagon-provider-api | 3.3.4 | 间接依赖 | maven |
| org.jboss:jboss-transaction-spi | 8.0.0.Final | 直接依赖 | maven |
| org.jboss.narayana.xts:recovery | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| org.jboss.arquillian.config:arquillian-config-impl-base | 1.7.0.Final | 间接依赖 | maven |
| org.jboss.resteasy:resteasy-core-spi | 6.2.5.Final | 直接依赖 | maven |
| org.jboss.shrinkwrap:shrinkwrap-spi | 1.2.6 | 间接依赖 | maven |
| org.dom4j:dom4j | 2.1.3 | 直接依赖 | maven |
| org.jboss.narayana.arjunacore:txoj | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |
| jakarta.annotation:jakarta.annotation-api | 2.0.0 | 间接依赖 | maven |
| USER32.dll | 间接依赖 | ||
| org.apache.maven.resolver:maven-resolver-impl | 1.4.1 | 间接依赖 | maven |
| org.apache.maven:maven-builder-support | 3.6.3 | 间接依赖 | maven |
| org.apache.maven.resolver:maven-resolver-util | 1.4.1 | 间接依赖 | maven |
| io.netty:netty-buffer | 4.1.89.Final | 间接依赖 | maven |
| org.jboss.logging:jboss-logging-processor | 2.2.1.Final | 直接依赖 | maven |
| org.jboss.narayana.xts:ws-t11 | 7.0.1.Final-SNAPSHOT | 直接依赖 | maven |