基础信息
项目名称:asciidocfx/AsciidocFX
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1720730037976891392/1747137400633483264
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Red Hat XNIO 资源错误分配漏洞 | 不加限制或调节的资源分配 | MPS-2022-0191 | CVE-2022-0084 | 高危 |
| Apache XML Graphics Batik | SSRF | MPS-2022-63578 | CVE-2022-44729 | 中危 |
| Apache XML Graphics Batik 代码问题漏洞 | SSRF | MPS-2022-63579 | CVE-2022-44730 | 中危 |
| 【存在争议】FasterXML jackson-databind 代码问题漏洞 | 不加限制或调节的资源分配 | MPS-z1bx-p8y2 | CVE-2023-35116 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| org.apache.xmlgraphics:batik-transcoder | 1.16 | 1.17 | 间接依赖 | 强烈建议修复 |
| org.apache.xmlgraphics:batik-bridge | 1.16 | 1.17 | 间接依赖 | 强烈建议修复 |
| com.fasterxml.jackson.core:jackson-databind | 2.15.3 | 2.16.0 | 间接依赖 | 建议修复 |
| org.jboss.xnio:xnio-api | 3.8.8.Final | 3.8.8 | 间接依赖 | 可选修复 |
| org.apache.xmlgraphics:batik-script | 1.16 | 1.17 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 105 | 低 |
| GPL-2.0 | 3 | 中 |
| LGPL-2.1 | 3 | 中 |
| EPL-2.0 | 14 | 低 |
| 自定义许可证 | 25 | 低 |
| MIT | 8 | 低 |
| BSD-3-Clause | 5 | 低 |
| LGPL-2.1-or-later | 2 | 低 |
| CDDL-1.1 | 1 | 低 |
| EPL-1.0 | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| org.apache.xmlgraphics:fop | 2.9 | 直接依赖 | maven |
| org.apache.xmlgraphics:batik-parser | 1.16 | 间接依赖 | maven |
| com.headius:invokebinder | 1.13 | 间接依赖 | maven |
| org.jruby:jruby-base | 9.4.5.0 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-i18n | 1.16 | 间接依赖 | maven |
| commons-logging:commons-logging | 1.0.4 | 间接依赖 | maven |
| org.yaml:snakeyaml | 2.2 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-ext | 1.17 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-transcoder | 1.16 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-constants | 1.16 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-gvt | 1.17 | 间接依赖 | maven |
| org.kordamp.ikonli:ikonli-core | 12.3.1 | 直接依赖 | maven |
| com.googlecode.javaewah:JavaEWAH | 1.2.3 | 间接依赖 | maven |
| de.tototec:de.tototec.cmdoption | 0.7.1 | 直接依赖 | maven |
| org.apache.xmlgraphics:batik-awt-util | 1.16 | 间接依赖 | maven |
| org.springframework:spring-web | 6.1.2 | 间接依赖 | maven |
| org.apache.xmlgraphics:fop-util | 2.9 | 间接依赖 | maven |
| org.jruby:dirgra | 0.3 | 间接依赖 | maven |
| com.fasterxml.jackson.module:jackson-module-parameter-names | 2.15.3 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter | 3.2.1 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-extension | 1.17 | 间接依赖 | maven |
| com.github.jnr:jnr-x86asm | 1.0.2 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-css | 1.16 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-dom | 1.16 | 间接依赖 | maven |
| org.ow2.asm:asm-tree | 9.2 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-svggen | 1.16 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-codec | 1.16 | 直接依赖 | maven |
| com.install4j:install4j-runtime | 10.0.6 | 直接依赖 | maven |
| jakarta.websocket:jakarta.websocket-client-api | 2.1.1 | 间接依赖 | maven |
| jakarta.activation:jakarta.activation-api | 2.1.2 | 间接依赖 | maven |
| com.sun.istack:istack-commons-tools | 4.1.2 | 间接依赖 | maven |
| org.apache.xmlgraphics:fop-core | 2.9 | 间接依赖 | maven |
| com.github.jnr:jnr-ffi | 2.2.15 | 间接依赖 | maven |
| com.sun.istack:istack-commons-runtime | 4.1.2 | 间接依赖 | maven |
| javax.validation:validation-api | 2.0.0.Final | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-shared-resources | 1.16 | 间接依赖 | maven |
| org.apache.logging.log4j:log4j-api | 2.21.1 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-databind | 2.15.3 | 间接依赖 | maven |
| org.eclipse.jgit:org.eclipse.jgit | 6.8.0.202311291450-r | 直接依赖 | maven |
| org.eclipse.angus:angus-activation | 2.0.1 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-logging | 3.2.1 | 间接依赖 | maven |
| org.springframework:spring-websocket | 6.1.2 | 间接依赖 | maven |
| com.sun.xml.dtd-parser:dtd-parser | 1.5.0 | 间接依赖 | maven |
| org.apache.xmlgraphics:fop-events | 2.9 | 间接依赖 | maven |
| net.sourceforge.plantuml:plantuml | 1.2023.12 | 直接依赖 | maven |
| jakarta.websocket:jakarta.websocket-api | 2.1.1 | 间接依赖 | maven |
| org.glassfish.jaxb:jaxb-core | 4.0.4 | 间接依赖 | maven |
| org.jruby:jruby | 9.4.5.0 | 间接依赖 | maven |
| jakarta.annotation:jakarta.annotation-api | 2.1.1 | 间接依赖 | maven |
| org.jboss.logging:jboss-logging | 3.5.3.Final | 间接依赖 | maven |
| com.beust:jcommander | 1.82 | 间接依赖 | maven |
| net.lingala.zip4j:zip4j | 2.11.5 | 直接依赖 | maven |
| org.asciidoctor:asciidoctorj-epub3 | 1.5.1 | 直接依赖 | maven |
| org.zeroturnaround:zt-exec | 1.10 | 直接依赖 | maven |
| commons-codec:commons-codec | 1.16.0 | 间接依赖 | maven |
| org.carrot2:morfologik-speller | 2.1.9 | 直接依赖 | maven |
| joda-time:joda-time | 2.12.5 | 间接依赖 | maven |
| org.carrot2:morfologik-fsa | 2.1.9 | 间接依赖 | maven |
| org.apache.commons:commons-lang3 | 3.13.0 | 间接依赖 | maven |
| org.jetbrains:annotations | 20.1.0 | 间接依赖 | maven |
| org.glassfish.jaxb:txw2 | 4.0.4 | 间接依赖 | maven |
| com.ibm.icu:icu4j | 74.2 | 间接依赖 | maven |
| org.apache.tomcat.embed:tomcat-embed-el | 10.1.17 | 间接依赖 | maven |
| org.wildfly.client:wildfly-client-config | 1.0.1.Final | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-script | 1.16 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-websocket | 3.2.1 | 直接依赖 | maven |
| org.jboss.threads:jboss-threads | 3.5.0.Final | 间接依赖 | maven |
| org.springframework.boot:spring-boot | 3.2.1 | 间接依赖 | maven |
| org.apache.xmlgraphics:xmlgraphics-commons | 2.9 | 间接依赖 | maven |
| com.headius:options | 1.6 | 间接依赖 | maven |
| org.asciidoctor:asciidoctorj-api | 2.5.11 | 间接依赖 | maven |
| com.sun.xml.bind.external:relaxng-datatype | 4.0.4 | 间接依赖 | maven |
| org.slf4j:slf4j-api | 2.0.9 | 间接依赖 | maven |
| io.micrometer:micrometer-observation | 1.12.1 | 间接依赖 | maven |
| commons-io:commons-io | 2.13.0 | 直接依赖 | maven |
| org.apache.xmlgraphics:batik-bridge | 1.16 | 间接依赖 | maven |
| org.eclipse.parsson:jakarta.json | 1.1.1 | 直接依赖 | maven |
| xml-apis:xml-apis-ext | 1.3.04 | 间接依赖 | maven |
| org.jooq:joox | 1.6.2 | 直接依赖 | maven |
| org.glassfish.jaxb:jaxb-runtime | 4.0.4 | 直接依赖 | maven |
| org.asciidoctor:asciidoctorj-pdf | 2.3.10 | 直接依赖 | maven |
| org.apache.pdfbox:fontbox | 2.0.27 | 间接依赖 | maven |
| xalan:xalan | 2.7.3 | 直接依赖 | maven |
| org.apache.logging.log4j:log4j-to-slf4j | 2.21.1 | 间接依赖 | maven |
| net.java.dev.jna:jna | 5.10.0 | 间接依赖 | maven |
| org.ow2.asm:asm | 9.2 | 间接依赖 | maven |
| com.github.jnr:jnr-netdb | 1.2.0 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-autoconfigure | 3.2.1 | 间接依赖 | maven |
| com.sun.xml.bind.external:rngom | 4.0.4 | 间接依赖 | maven |
| org.jruby:jzlib | 1.1.5 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-util | 1.16 | 间接依赖 | maven |
| javax.xml.bind:jaxb-api | 2.3.0 | 间接依赖 | maven |
| org.kordamp.ikonli:ikonli-javafx | 12.3.1 | 直接依赖 | maven |
| org.springframework.boot:spring-boot-starter-web | 3.2.1 | 直接依赖 | maven |
| org.springframework:spring-context | 6.1.2 | 间接依赖 | maven |
| io.github.toolfactory:narcissus | 1.0.7 | 间接依赖 | maven |
| org.springframework:spring-context-indexer | 6.0.11 | 直接依赖 | maven |
| io.micrometer:micrometer-commons | 1.12.1 | 间接依赖 | maven |
| org.jetbrains.pty4j:pty4j | 0.12.7 | 间接依赖 | maven |
| org.glassfish.jaxb:codemodel | 4.0.4 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-xml | 1.16 | 间接依赖 | maven |
| org.wildfly.common:wildfly-common | 1.5.4.Final | 间接依赖 | maven |
| org.springframework:spring-beans | 6.1.2 | 间接依赖 | maven |
| io.undertow:undertow-websockets-jsr | 2.3.10.Final | 间接依赖 | maven |
| org.jruby.jcodings:jcodings | 1.0.58 | 间接依赖 | maven |
| org.carrot2:morfologik-stemming | 2.1.9 | 间接依赖 | maven |
| com.github.jnr:jnr-a64asm | 1.0.0 | 间接依赖 | maven |
| org.asciidoctor:asciidoctorj-diagram | 2.2.14 | 直接依赖 | maven |
| com.ibm.icu:icu4j-charset | 74.2 | 直接依赖 | maven |
| jakarta.json:jakarta.json-api | 2.1.1 | 直接依赖 | maven |
| org.jruby:jruby-stdlib | 9.4.5.0 | 间接依赖 | maven |
| org.kordamp.ikonli:ikonli-fontawesome-pack | 12.3.1 | 直接依赖 | maven |
| org.ow2.asm:asm-util | 9.2 | 间接依赖 | maven |
| org.jetbrains.pty4j:purejavacomm | 0.0.11.1 | 间接依赖 | maven |
| com.github.jnr:jnr-enxio | 0.32.16 | 间接依赖 | maven |
| org.glassfish.jaxb:jaxb-xjc | 4.0.4 | 直接依赖 | maven |
| org.ow2.asm:asm-analysis | 9.2 | 间接依赖 | maven |
| com.github.jnr:jnr-constants | 0.10.4 | 间接依赖 | maven |
| net.java.dev.jna:jna-platform | 5.10.0 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-undertow | 3.2.1 | 直接依赖 | maven |
| jakarta.servlet:jakarta.servlet-api | 6.0.0 | 间接依赖 | maven |
| org.jboss.xnio:xnio-api | 3.8.8.Final | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-annotations | 2.15.3 | 间接依赖 | maven |
| xalan:serializer | 2.7.3 | 直接依赖 | maven |
| com.vaadin:open | 8.5.0 | 直接依赖 | maven |
| org.springframework:spring-aop | 6.1.2 | 间接依赖 | maven |
| org.glassfish.jaxb:xsom | 4.0.4 | 间接依赖 | maven |
| com.kodedu.terminalfx:terminalfx | 1.2.0 | 直接依赖 | maven |
| org.asciidoctor:asciidoctorj-diagram-ditaamini | 1.0.3 | 间接依赖 | maven |
| com.github.jnr:jnr-unixsocket | 0.38.21 | 间接依赖 | maven |
| com.thoughtworks.qdox:qdox | 1.12 | 间接依赖 | maven |
| com.github.jnr:jffi | 1.3.12 | 间接依赖 | maven |
| org.asciidoctor:asciidoctorj | 2.5.11 | 直接依赖 | maven |
| org.springframework:spring-webmvc | 6.1.2 | 间接依赖 | maven |
| com.fasterxml.jackson.datatype:jackson-datatype-jsr310 | 2.15.3 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-svg-dom | 1.16 | 间接依赖 | maven |
| one.jpro:openjfx-monocle | jfx-21 | 直接依赖 | maven |
| org.springframework:spring-expression | 6.1.2 | 间接依赖 | maven |
| com.github.jnr:jnr-posix | 3.1.18 | 间接依赖 | maven |
| org.apache.xmlgraphics:batik-anim | 1.17 | 间接依赖 | maven |
| io.undertow:undertow-core | 2.3.10.Final | 间接依赖 | maven |
| org.scilab.forge:jlatexmath-font-cyrillic | 1.0.7 | 间接依赖 | maven |
| me.qmx.jitescript:jitescript | 0.4.1 | 间接依赖 | maven |
| org.jruby.joni:joni | 2.2.1 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-core | 2.15.3 | 间接依赖 | maven |
| xml-apis:xml-apis | 1.4.01 | 间接依赖 | maven |
| org.slf4j:jul-to-slf4j | 2.0.9 | 间接依赖 | maven |
| io.undertow:undertow-servlet | 2.3.10.Final | 间接依赖 | maven |
| com.fasterxml.jackson.datatype:jackson-datatype-jdk8 | 2.15.3 | 间接依赖 | maven |
| org.scilab.forge:jlatexmath | 1.0.7 | 直接依赖 | maven |
| org.ow2.asm:asm-commons | 9.2 | 间接依赖 | maven |
| org.glassfish.jaxb:jaxb-jxc | 4.0.4 | 直接依赖 | maven |
| com.headius:backport9 | 1.13 | 间接依赖 | maven |
| org.asciidoctor:asciidoctorj-revealjs | 5.1.0 | 直接依赖 | maven |
| org.jboss.xnio:xnio-nio | 3.8.8.Final | 间接依赖 | maven |
| org.asciidoctor:asciidoctorj-diagram-plantuml | 1.2023.12 | 间接依赖 | maven |
| org.springframework.boot:spring-boot-starter-json | 3.2.1 | 间接依赖 | maven |
| org.scilab.forge:jlatexmath-font-greek | 1.0.7 | 间接依赖 | maven |
| com.dooapp.fxform2:core | 9.0.0 | 直接依赖 | maven |
| io.github.toolfactory:jvm-driver | 9.6.0 | 直接依赖 | maven |
| io.github.classgraph:classgraph | 4.8.165 | 直接依赖 | maven |