基础信息
项目名称:signal18/replication-manager
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1755997446958592000/1755997447034089472
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Oracle MySQL Server组件安全漏洞 | MPS-2017-11799 | CVE-2017-10320 | 中危 | |
| Oracle MySQL Server组件安全漏洞 | MPS-2017-11844 | CVE-2017-10365 | 低危 | |
| Oracle MySQL Server 安全漏洞 | MPS-2017-8622 | CVE-2017-3636 | 中危 | |
| Oracle MySQL Server组件访问限制绕过漏洞 | 访问控制不当 | MPS-2018-0679 | CVE-2018-2562 | 高危 |
| MariaDB和Percona XtraDB Cluster 安全漏洞 | MPS-2018-1101 | CVE-2017-15365 | 高危 | |
| Oracle MySQL Server组件安全漏洞 | MPS-2018-13764 | CVE-2018-3251 | 中危 | |
| Oracle MySQL Server组件安全漏洞 | MPS-2018-5080 | CVE-2018-2761 | 中危 | |
| Oracle MySQL Server组件安全漏洞 | MPS-2018-5084 | CVE-2018-2766 | 中危 | |
| Oracle MySQL Server组件安全漏洞 | MPS-2018-5099 | CVE-2018-2782 | 中危 | |
| Oracle MySQL Server组件安全漏洞 | MPS-2018-5101 | CVE-2018-2784 | 中危 | |
| Oracle MySQL Server组件安全漏洞 | MPS-2018-5134 | CVE-2018-2817 | 中危 | |
| Oracle MySQL Server组件安全漏洞 | MPS-2018-5136 | CVE-2018-2819 | 中危 | |
| Oracle MySQL Server 访问控制错误漏洞 | 拒绝服务 | MPS-2019-0716 | CVE-2019-2510 | 中危 |
| Oracle MySQL Server 输入验证错误漏洞 | MPS-2019-4369 | CVE-2019-2627 | 中危 | |
| Oracle MySQL Server 输入验证错误漏洞 | MPS-2019-4370 | CVE-2019-2628 | 中危 | |
| jwt-go 安全漏洞 | 授权检查缺失 | MPS-2020-13786 | CVE-2020-26160 | 高危 |
| MariaDB 安全漏洞 | 代码注入 | MPS-2020-18075 | CVE-2020-28912 | 高危 |
| Oracle MySQL Server 输入验证错误漏洞 | MPS-2021-10287 | CVE-2021-2389 | 中危 | |
| Oracle MySQL Server 输入验证错误漏洞 | MPS-2021-10412 | CVE-2021-2372 | 中危 | |
| Oracle MySQL Server 输入验证错误漏洞 | MPS-2021-26704 | CVE-2021-35604 | 中危 | |
| MariaDB 操作系统命令注入漏洞 | 代码注入 | MPS-2021-3471 | CVE-2021-27928 | 高危 |
| Gin-Gonic Gin 环境问题漏洞 | HTTP请求走私 | MPS-2021-5932 | CVE-2020-28483 | 高危 |
| MariaDB 安全漏洞 | 命令注入 | MPS-2021-7350 | CVE-2020-15180 | 严重 |
| go.uuid 不安全的随机性漏洞 | 使用具有密码学弱点缺陷的PRNG | MPS-2021-7854 | CVE-2021-3538 | 严重 |
| MariaDB 安全漏洞 | 加锁机制不恰当 | MPS-2022-12646 | CVE-2022-31624 | 中危 |
| MariaDB Server拒绝服务漏洞 | 加锁机制不恰当 | MPS-2022-12647 | CVE-2022-31623 | 中危 |
| MariaDB 安全漏洞 | 加锁机制不恰当 | MPS-2022-12648 | CVE-2022-31622 | 中危 |
| MariaDB Server拒绝服务漏洞 | 加锁机制不恰当 | MPS-2022-12650 | CVE-2022-31621 | 中危 |
| MariaDB 安全漏洞 | 拒绝服务 | MPS-2022-17010 | CVE-2022-32085 | 高危 |
| MariaDB 安全漏洞 | 拒绝服务 | MPS-2022-17012 | CVE-2022-32087 | 高危 |
| MariaDB 安全漏洞 | 拒绝服务 | MPS-2022-17013 | CVE-2022-32088 | 高危 |
| MariaDB 输入验证错误漏洞 | 栈缓冲区溢出 | MPS-2022-2797 | CVE-2022-24048 | 高危 |
| MariaDB 资源管理错误漏洞 | UAF | MPS-2022-2799 | CVE-2022-24050 | 高危 |
| MariaDB 格式化字符串错误漏洞 | 使用外部控制的格式字符串 | MPS-2022-2800 | CVE-2022-24051 | 高危 |
| MariaDB 输入验证错误漏洞 | 堆缓冲区溢出 | MPS-2022-2801 | CVE-2022-24052 | 高危 |
| MariaDB 资源管理错误漏洞 | UAF | MPS-2022-2955 | CVE-2021-46669 | 高危 |
| MariaDB 资源管理错误漏洞 | 拒绝服务 | MPS-2022-2956 | CVE-2021-46668 | 中危 |
| MariaDB 输入验证错误漏洞 | 整数溢出或环绕 | MPS-2022-2957 | CVE-2021-46667 | 中危 |
| MariaDB 代码问题漏洞 | 可达断言 | MPS-2022-2958 | CVE-2021-46666 | 中危 |
| MariaDB 代码问题漏洞 | 空指针取消引用 | MPS-2022-2959 | CVE-2021-46664 | 中危 |
| MariaDB 代码问题漏洞 | MPS-2022-2960 | CVE-2021-46665 | 中危 | |
| MariaDB 代码问题漏洞 | MPS-2022-2962 | CVE-2021-46661 | 中危 | |
| MariaDB 安全漏洞 | 输入验证不恰当 | MPS-2022-2972 | CVE-2021-46658 | 中危 |
| MariaDB 安全漏洞 | MPS-2022-2973 | CVE-2021-46659 | 中危 | |
| MariaDB拒绝服务漏洞 | SQL注入 | MPS-2022-8546 | CVE-2022-27386 | 高危 |
| MariaDB拒绝服务漏洞 | 经典缓冲区溢出 | MPS-2022-8547 | CVE-2022-27387 | 高危 |
| MariaDB拒绝服务漏洞 | UAF | MPS-2022-8548 | CVE-2022-27383 | 高危 |
| MariaDB拒绝服务漏洞 | SQL注入 | MPS-2022-8549 | CVE-2022-27384 | 高危 |
| MariaDB SQL注入漏洞 | SQL注入 | MPS-2022-8551 | CVE-2022-27381 | 高危 |
| MariaDB SQL注入漏洞 | SQL注入 | MPS-2022-8554 | CVE-2022-27380 | 高危 |
| MariaDB 资源管理错误漏洞 | UAF | MPS-2022-8555 | CVE-2022-27377 | 高危 |
| MariaDB SQL注入漏洞 | SQL注入 | MPS-2022-8556 | CVE-2022-27378 | 高危 |
| MariaDB 安全漏洞 | 拒绝服务 | MPS-2022-8690 | CVE-2022-27449 | 高危 |
| MariaDB 安全漏洞 | 拒绝服务 | MPS-2022-8694 | CVE-2022-27445 | 高危 |
| Gin-Gonic Gin 输入验证错误漏洞 | 输入验证不恰当 | MPS-2023-5119 | CVE-2023-26125 | 高危 |
| Gin 安全漏洞 | 下载代码缺少完整性检查 | MPS-2023-9711 | CVE-2023-29401 | 中危 |
| Google Golang 资源管理错误漏洞 | 不加限制或调节的资源分配 | MPS-c8am-hbny | CVE-2023-39325 | 高危 |
| MariaDB 资源管理错误漏洞 | MPS-fdz0-9u2p | CVE-2023-5157 | 高危 | |
| go-git 路径遍历漏洞 | 路径遍历 | MPS-hw9b-igj4 | CVE-2023-49569 | 严重 |
| SSH协议前缀截断攻击(Terrapin攻击) | 安全相关信息的截断 | MPS-nv0f-qtib | CVE-2023-48795 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| mariadb | 10.2.4 | 10.9.3 | 间接依赖 | 强烈建议修复 |
| mariadb | 10.2.7 | 10.9.3 | 间接依赖 | 强烈建议修复 |
| github.com/satori/go.uuid | v1.2.0 | 直接依赖 | 建议修复 | |
| golang.org/x/crypto | v0.6.0 | 0.17.0 | 直接依赖 | 建议修复 |
| github.com/gin-gonic/gin | v1.7.2 | 1.9.1 | 间接依赖 | 建议修复 |
| github.com/dgrijalva/jwt-go | v3.2.0+incompatible | 4.0.0-preview1 | 直接依赖 | 建议修复 |
| golang.org/x/net | v0.8.0 | 0.17.0 | 直接依赖 | 可选修复 |
| github.com/go-git/go-git/v5 | v5.6.1 | 5.11.0 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| BSD-3-Clause | 32 | 低 |
| BSD-2-Clause | 10 | 低 |
| MIT | 54 | 低 |
| MPL-2.0 | 3 | 低 |
| Apache-2.0 | 32 | 低 |
| LGPL-3.0 | 2 | 中 |
| ISC | 2 | 低 |
| 未知许可证 | 1 | 低 |
| HPND | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| github.com/google/uuid | v1.1.2 | 直接依赖 | go |
| github.com/gonum/internal | v0.0.0-20180125090855-fda53f8d2571 | 间接依赖 | go |
| github.com/aclements/go-moremath | v0.0.0-20170210193428-033754ab1fee | 间接依赖 | go |
| github.com/pkg/xattr | v0.4.6 | 直接依赖 | go |
| github.com/codegangsta/negroni | v0.3.0 | 直接依赖 | go |
| github.com/hashicorp/vault/api/auth/approle | v0.4.0 | 间接依赖 | go |
| github.com/desertbit/timer | v0.0.0-20180107155436-c41aec40b27f | 间接依赖 | go |
| github.com/Azure/go-autorest/autorest/to | v0.4.0 | 间接依赖 | go |
| github.com/smartystreets/goconvey | v1.7.2 | 间接依赖 | go |
| github.com/go-git/go-git | v4.7.0+incompatible | 间接依赖 | go |
| github.com/Azure/go-autorest/autorest/azure/cli | v0.4.0 | 直接依赖 | go |
| github.com/siddontang/go-log | v0.0.0-20190221022429-1e957dd83bed | 间接依赖 | go |
| github.com/lestrrat/go-envload | v0.0.0-20180220120943-6ed08b54a570 | 间接依赖 | go |
| github.com/percona/go-mysql | v0.0.0-20190307200310-f5cfaf6a5e55 | 直接依赖 | go |
| github.com/BurntSushi/toml | v0.3.1 | 直接依赖 | go |
| github.com/sirupsen/logrus | v1.7.0 | 直接依赖 | go |
| github.com/Azure/go-autorest/autorest/validation | v0.3.0 | 间接依赖 | go |
| github.com/mattn/go-runewidth | v0.0.13 | 间接依赖 | go |
| github.com/aws/aws-sdk-go | v1.29.24 | 直接依赖 | go |
| github.com/kisielk/og-rek | v0.0.0-20170425174049-dd41cde712de | 直接依赖 | go |
| github.com/juju/testing | v0.0.0-20220203020004-a0ff61f03494 | 间接依赖 | go |
| github.com/Azure/go-autorest/autorest | v0.11.1 | 直接依赖 | go |
| github.com/Azure/azure-pipeline-go | v0.2.2 | 直接依赖 | go |
| github.com/dgryski/carbonzipper | v0.0.0-20170426152955-d1a3cec4169b | 直接依赖 | go |
| libc.so.6 | 间接依赖 | ||
| github.com/siddontang/go-mysql-elasticsearch | v0.0.0-20180201161913-f34f371d4391 | 直接依赖 | go |
| github.com/juju/errors | v0.0.0-20220203013757-bd733f3c86b9 | 直接依赖 | go |
| github.com/gregdel/pushover | v1.1.0 | 直接依赖 | go |
| github.com/gonum/floats | v0.0.0-20180125090339-7de1f4ea7ab5 | 间接依赖 | go |
| github.com/grpc-ecosystem/go-grpc-middleware | v1.3.0 | 直接依赖 | go |
| github.com/bluele/slack | v0.0.0-20180528010058-b4b4d354a079 | 间接依赖 | go |
| github.com/coreos/go-oidc/v3 | v3.6.0 | 间接依赖 | go |
| github.com/facebookgo/freeport | v0.0.0-20150612182905-d4adf43b75b9 | 间接依赖 | go |
| libpthread.so.0 | 间接依赖 | ||
| github.com/siddontang/go-mysql | v0.0.0-20190311123328-7fc3b28d6104 | 直接依赖 | go |
| github.com/pingcap/dumpling | v0.0.0-20200319081211-255ce0d25719 | 直接依赖 | go |
| github.com/howeyc/fsnotify | v0.0.0-20151003194602-f0c08ee9c607 | 直接依赖 | go |
| github.com/gorilla/handlers | v1.3.0 | 直接依赖 | go |
| github.com/micro/go-micro | v0.27.1 | 直接依赖 | go |
| google.golang.org/grpc | v1.38.0 | 直接依赖 | go |
| github.com/mcuadros/go-version | v0.0.0-20190830083331-035f6764e8d2 | 间接依赖 | go |
| github.com/facebookgo/ensure | v0.0.0-20200202191622-63f1cf65ac4c | 间接依赖 | go |
| golang.org/x/oauth2 | v0.6.0 | 间接依赖 | go |
| github.com/mattn/go-sqlite3 | v1.9.0 | 直接依赖 | go |
| /usr/lib/libiconv.2.dylib | 间接依赖 | ||
| github.com/bradfitz/gomemcache | v0.0.0-20170208213004-1952afaa557d | 直接依赖 | go |
| librt.so.1 | 间接依赖 | ||
| github.com/tebeka/strftime | v0.1.5 | 直接依赖 | go |
| github.com/dgryski/go-expirecache | v0.0.0-20170314133854-743ef98b2adb | 直接依赖 | go |
| github.com/davecgh/go-spew | v1.1.1 | 直接依赖 | go |
| github.com/gonum/blas | v0.0.0-20180125090452-e7c5890b24cf | 间接依赖 | go |
| github.com/jmoiron/sqlx | v1.2.0 | 直接依赖 | go |
| github.com/pelletier/go-toml | v1.9.5 | 间接依赖 | go |
| /usr/lib/libncurses.5.4.dylib | 间接依赖 | ||
| github.com/lib/pq | v1.3.0 | 直接依赖 | go |
| github.com/Azure/azure-sdk-for-go | v44.0.0+incompatible | 直接依赖 | go |
| github.com/dustin/go-humanize | v1.0.0 | 直接依赖 | go |
| libncurses.so.5 | 间接依赖 | ||
| github.com/atc0005/go-teams-notify/v2 | v2.8.0 | 间接依赖 | go |
| mariadb | 10.2.7 | 间接依赖 | |
| github.com/dasrick/go-teams-notify/v2 | v2.1.0 | 间接依赖 | go |
| github.com/improbable-eng/grpc-web | v0.14.0 | 直接依赖 | go |
| github.com/gonum/matrix | v0.0.0-20180124231301-a41cc49d4c29 | 直接依赖 | go |
| github.com/JaderDias/movingmedian | v0.0.0-20170611140316-de8c410559fa | 直接依赖 | go |
| github.com/dgrijalva/jwt-go | v3.2.0+incompatible | 直接依赖 | go |
| github.com/mjibson/go-dsp | v0.0.0-20170104183934-49dba8372707 | 直接依赖 | go |
| github.com/siddontang/go | v0.0.0-20180604090527-bdc77568d726 | 直接依赖 | go |
| github.com/facebookgo/httpdown | v0.0.0-20160323221027-a3b1354551a2 | 间接依赖 | go |
| github.com/jehiah/go-strftime | v0.0.0-20171201141054-1d33003b3869 | 间接依赖 | go |
| github.com/asaskevich/govalidator | v0.0.0-20190424111038-f61b66f89f4a | 直接依赖 | go |
| github.com/gogo/protobuf | v1.3.2 | 直接依赖 | go |
| github.com/gorilla/mux | v1.8.0 | 直接依赖 | go |
| github.com/facebookgo/subset | v0.0.0-20200203212716-c811ad88dec4 | 间接依赖 | go |
| github.com/miekg/dns | v1.1.43 | 间接依赖 | go |
| github.com/ggwhite/go-masker | v1.0.9 | 间接依赖 | go |
| libm.so.6 | 间接依赖 | ||
| github.com/alyu/configparser | v0.0.0-20151125021232-26b2fe18bee1 | 直接依赖 | go |
| /usr/lib/libz.1.dylib | 间接依赖 | ||
| github.com/peterbourgon/g2g | v0.0.0-20161124161852-0c2bab2b173d | 直接依赖 | go |
| github.com/NYTimes/gziphandler | v1.0.1 | 直接依赖 | go |
| github.com/yoheimuta/protolint | v0.32.0 | 直接依赖 | go |
| golang.org/x/crypto | v0.6.0 | 直接依赖 | go |
| github.com/klauspost/pgzip | v1.2.6 | 直接依赖 | go |
| github.com/spf13/viper | v1.4.0 | 直接依赖 | go |
| github.com/iu0v1/gelada | v1.2.2 | 直接依赖 | go |
| /usr/local/opt/gnutls/lib/libgnutls.30.dylib | 间接依赖 | ||
| k8s.io/apimachinery | v0.20.0 | 直接依赖 | go |
| github.com/go-sql-driver/mysql | v1.5.0 | 直接依赖 | go |
| gopkg.in/natefinch/lumberjack.v2 | v2.0.0 | 直接依赖 | go |
| github.com/bluele/logrus_slack | v0.0.0-20170812021752-74aa3c9b7cc3 | 直接依赖 | go |
| github.com/helloyi/go-sshclient | v1.0.0 | 直接依赖 | go |
| github.com/facebookgo/stack | v0.0.0-20160209184415-751773369052 | 间接依赖 | go |
| github.com/facebookgo/clock | v0.0.0-20150410010913-600d898af40a | 间接依赖 | go |
| google.golang.org/genproto | v0.0.0-20210617175327-b9e0b3197ced | 直接依赖 | go |
| github.com/jacobsa/fuse | v0.0.0-20211125163655-ffd6c474e806 | 直接依赖 | go |
| github.com/urfave/cli | v1.22.3 | 直接依赖 | go |
| /usr/lib/libedit.3.dylib | 间接依赖 | ||
| libstdc++.so.6 | 间接依赖 | ||
| /usr/lib/libSystem.B.dylib | 间接依赖 | ||
| github.com/gorilla/context | v1.1.1 | 间接依赖 | go |
| github.com/dgryski/go-trigram | v0.0.0-20160407183937-79ec494e1ad0 | 直接依赖 | go |
| github.com/go-ole/go-ole | v1.2.5 | 间接依赖 | go |
| github.com/wangjohn/quickselect | v0.0.0-20161129230411-ed8402a42d5f | 直接依赖 | go |
| github.com/grpc-ecosystem/grpc-gateway/v2 | v2.5.0 | 直接依赖 | go |
| github.com/xanzy/go-gitlab | v0.85.0 | 间接依赖 | go |
| github.com/lestrrat/go-strftime | v0.0.0-20170113112000-04ef93e28531 | 直接依赖 | go |
| github.com/facebookgo/grace | v0.0.0-20170218225239-4afe952a37a4 | 直接依赖 | go |
| github.com/xwb1989/sqlparser | v0.0.0-20171128062118-da747e0c62c4 | 直接依赖 | go |
| github.com/Azure/azure-storage-blob-go | v0.8.0 | 直接依赖 | go |
| github.com/jordan-wright/email | v0.0.0-20160301001728-a62870b0c368 | 直接依赖 | go |
| github.com/Azure/go-autorest/autorest/azure/auth | v0.5.0 | 直接依赖 | go |
| golang.org/x/net | v0.8.0 | 直接依赖 | go |
| github.com/hashicorp/vault/api | v1.9.0 | 间接依赖 | go |
| libdl.so.2 | 间接依赖 | ||
| github.com/gonum/lapack | v0.0.0-20180125091020-f0b8b25edece | 间接依赖 | go |
| /usr/lib/libc++.1.dylib | 间接依赖 | ||
| github.com/satori/go.uuid | v1.2.0 | 直接依赖 | go |
| google.golang.org/grpc/cmd/protoc-gen-go-grpc | v1.1.0 | 直接依赖 | go |
| gopkg.in/check.v1 | v1.0.0-20201130134442-10cb98267c6c | 直接依赖 | go |
| github.com/evmar/gocairo | v0.0.0-20160222165215-ddd30f837497 | 直接依赖 | go |
| gopkg.in/src-d/go-git.v4 | v4.13.1 | 间接依赖 | go |
| github.com/mitchellh/go-homedir | v1.1.0 | 直接依赖 | go |
| k8s.io/api | v0.20.0 | 直接依赖 | go |
| github.com/spf13/cobra | v0.0.6 | 直接依赖 | go |
| github.com/magneticio/vamp-router | v0.0.0-20151116102511-29379b621548 | 直接依赖 | go |
| github.com/facebookgo/atomicfile | v0.0.0-20151019160806-2de1f203e7d5 | 间接依赖 | go |
| github.com/rs/cors | v1.7.0 | 间接依赖 | go |
| github.com/dgryski/go-onlinestats | v0.0.0-20170612111826-1c7d19468768 | 直接依赖 | go |
| github.com/StackExchange/wmi | v0.0.0-20210224194228-fe8f1750fd46 | 间接依赖 | go |
| github.com/lestrrat/go-file-rotatelogs | v0.0.0-20171229092148-f984502973a0 | 直接依赖 | go |
| github.com/facebookgo/stats | v0.0.0-20151006221625-1b76add642e4 | 间接依赖 | go |
| nhooyr.io/websocket | v1.8.7 | 间接依赖 | go |
| k8s.io/client-go | v0.20.0 | 直接依赖 | go |
| github.com/fastly/go-utils | v0.0.0-20180712184237-d95a45783239 | 间接依赖 | go |
| mariadb | 10.2.4 | 间接依赖 | |
| github.com/hydrogen18/stalecucumber | v0.0.0-20161215203336-0a94983f3e27 | 直接依赖 | go |
| github.com/stretchr/testify | v1.8.4 | 直接依赖 | go |
| github.com/gin-gonic/gin | v1.7.2 | 间接依赖 | go |
| github.com/hpcloud/tail | v1.0.0 | 直接依赖 | go |
| github.com/gorilla/securecookie | v1.1.1 | 间接依赖 | go |
| github.com/nsf/termbox-go | v0.0.0-20180129072728-88b7b944be8b | 直接依赖 | go |
| github.com/gwenn/yacr | v0.0.0-20180209192453-77093bdc7e72 | 直接依赖 | go |
| angular-material-data-table | 0.10.10 | 直接依赖 | npm |
| github.com/spf13/pflag | v1.0.5 | 直接依赖 | go |
| google.golang.org/grpc/examples | v0.0.0-20220316190256-c4cabf78f4a2 | 间接依赖 | go |
| google.golang.org/protobuf | v1.29.1 | 直接依赖 | go |
| github.com/shirou/gopsutil | v2.20.2+incompatible | 直接依赖 | go |
| github.com/Azure/go-autorest/autorest/adal | v0.9.5 | 直接依赖 | go |
| gopkg.in/ini.v1 | v1.55.0 | 直接依赖 | go |
| github.com/gorilla/sessions | v0.0.0-20180209192218-6ba88b7f1c1e | 间接依赖 | go |
| github.com/go-git/go-git/v5 | v5.6.1 | 间接依赖 | go |
| github.com/dgryski/httputil | v0.0.0-20160116060654-189c2918cd08 | 直接依赖 | go |
| github.com/facebookgo/pidfile | v0.0.0-20150612191647-f242e2999868 | 直接依赖 | go |