基础信息
项目名称:rayokota/hgraphdb
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1745435499381497856/1755999049086251008
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Eclipse Jetty 资源管理错误漏洞 | 拒绝服务 | MPS-0e59-bdsi | CVE-2023-36478 | 高危 |
| Google protobuf 缓冲区错误漏洞 | 越界写入 | MPS-2017-10841 | CVE-2015-5237 | 高危 |
| Eclipse Jetty 编码字符敏感信息泄露漏洞 | 未授权敏感信息泄露 | MPS-2021-10800 | CVE-2021-34429 | 中危 |
| Google protobuf DOS漏洞 | 不正确的行为次序 | MPS-2021-19066 | CVE-2021-22569 | 中危 |
| org.apache.hadoop:hadoop-hdfs | XXE | MPS-2022-12474 | 中危 | |
| FasterXML Jackson-databind 拒绝服务漏洞 | 拒绝服务 | MPS-2022-12500 | 中危 | |
| Eclipse Jetty URI注入漏洞 | 注入 | MPS-2022-18060 | CVE-2022-2047 | 低危 |
| FasterXML jackson-databind 小于2.14.0-rc1拒绝服务漏洞 | 拒绝服务 | MPS-2022-58653 | CVE-2022-42003 | 中危 |
| FasterXML jackson-databind 小于2.13.4拒绝服务漏洞 | 拒绝服务 | MPS-2022-58654 | CVE-2022-42004 | 中危 |
| IBM WebSphere Application Server Liberty 存在拒绝服务漏洞 | 对因果或异常条件的不恰当检查 | MPS-2022-59813 | CVE-2022-3509 | 中危 |
| FasterXML jackson-databind 拒绝服务漏洞 | 越界写入 | MPS-2022-6242 | CVE-2020-36518 | 高危 |
| Eclipse Jetty 资源管理错误漏洞 | 拒绝服务 | MPS-2023-4997 | CVE-2023-26048 | 中危 |
| Eclipse Jetty 信息泄露漏洞 | XSS | MPS-2023-4998 | CVE-2023-26049 | 中危 |
| jackson-databind 拒绝服务漏洞 | 拒绝服务 | MPS-2023-8438 | CVE-2021-46877 | 中危 |
| Eclipse Jetty 安全漏洞 | MPS-49ot-3w07 | CVE-2023-40167 | 中危 | |
| Netty 资源管理错误漏洞 | 不加限制或调节的资源分配 | MPS-9u07-bna1 | CVE-2023-34462 | 中危 |
| 【存在争议】FasterXML jackson-databind 代码问题漏洞 | 不加限制或调节的资源分配 | MPS-z1bx-p8y2 | CVE-2023-35116 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| org.eclipse.jetty:jetty-http | 9.4.43.v20210629 | 11.0.16 | 间接依赖 | 建议修复 |
| io.netty:netty-handler | 4.1.94.Final | 4.1.94.final | 间接依赖 | 建议修复 |
| org.eclipse.jetty:jetty-server | 9.4.43.v20210629 | 9.4.51 | 间接依赖 | 建议修复 |
| org.eclipse.jetty:jetty-server | 9.4.43.v20210629 | 9.4.51 | 间接依赖 | 建议修复 |
| com.google.protobuf:protobuf-java | 2.5.0 | 3.16.3 | 间接依赖 | 建议修复 |
| com.fasterxml.jackson.core:jackson-databind | 2.10.5.1 | 2.16.0 | 间接依赖 | 建议修复 |
| com.fasterxml.jackson.core:jackson-databind | 2.10.5.1 | 2.16.0 | 间接依赖 | 建议修复 |
| com.google.protobuf:protobuf-java | 2.5.0 | 3.16.3 | 间接依赖 | 建议修复 |
| org.apache.hadoop:hadoop-hdfs | 3.2.4 | 3.3.2 | 间接依赖 | 可选修复 |
| org.apache.hadoop:hadoop-hdfs | 3.2.4 | 3.3.2 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| BSD-3-Clause | 5 | 低 |
| MIT | 4 | 低 |
| Apache-2.0 | 67 | 低 |
| GPL-2.0-with-classpath-exception | 2 | 中 |
| CDDL-1.1 | 2 | 低 |
| EPL-1.0 | 5 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| com.esotericsoftware:minlog | 1.3.1 | 间接依赖 | maven |
| org.jruby.joni:joni | 2.1.31 | 间接依赖 | maven |
| org.apache.zookeeper:zookeeper | 3.8.3 | 间接依赖 | maven |
| javax.annotation:javax.annotation-api | 1.2 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-databind | 2.10.5.1 | 间接依赖 | maven |
| org.apache.hbase:hbase-client | 2.5.7-hadoop3 | 直接依赖 | maven |
| org.apache.hbase:hbase-logging | 2.5.7-hadoop3 | 间接依赖 | maven |
| org.apache.hbase:hbase-mapreduce | 2.5.7-hadoop3 | 直接依赖 | maven |
| com.google.cloud.bigtable:bigtable-hbase-2.x-hadoop | 2.12.0 | 直接依赖 | maven |
| org.apache.tinkerpop:gremlin-core | 3.7.1 | 直接依赖 | maven |
| org.apache.hbase:hbase-common | 2.5.7-hadoop3 | 间接依赖 | maven |
| org.apache.hbase:hbase-protocol | 2.5.7-hadoop3 | 间接依赖 | maven |
| org.apache.zookeeper:zookeeper-jute | 3.8.3 | 间接依赖 | maven |
| org.slf4j:slf4j-api | 1.7.33 | 间接依赖 | maven |
| com.github.stephenc.jcip:jcip-annotations | 1.0-1 | 间接依赖 | maven |
| org.apache.hbase.thirdparty:hbase-shaded-miscellaneous | 4.1.5 | 间接依赖 | maven |
| commons-logging:commons-logging | 1.2 | 间接依赖 | maven |
| com.google.protobuf:protobuf-java | 2.5.0 | 间接依赖 | maven |
| com.google.errorprone:error_prone_annotations | 2.21.1 | 间接依赖 | maven |
| org.apache.hbase.thirdparty:hbase-unsafe | 4.1.5 | 间接依赖 | maven |
| org.apache.hbase:hbase-replication | 2.5.7-hadoop3 | 间接依赖 | maven |
| commons-codec:commons-codec | 1.15 | 间接依赖 | maven |
| io.netty:netty-codec | 4.1.94.Final | 间接依赖 | maven |
| io.netty:netty-common | 4.1.94.Final | 间接依赖 | maven |
| org.apache.commons:commons-crypto | 1.1.0 | 间接依赖 | maven |
| io.netty:netty-transport-native-epoll | 4.1.94.Final | 间接依赖 | maven |
| org.antlr:antlr4-runtime | 4.9.1 | 间接依赖 | maven |
| org.eclipse.jetty:jetty-util-ajax | 9.4.43.v20210629 | 间接依赖 | maven |
| org.objenesis:objenesis | 3.3 | 间接依赖 | maven |
| org.apache.hbase:hbase-zookeeper | 2.5.7-hadoop3 | 间接依赖 | maven |
| org.apache.hbase.thirdparty:hbase-shaded-netty | 4.1.5 | 间接依赖 | maven |
| org.apache.commons:commons-text | 1.10.0 | 间接依赖 | maven |
| net.bytebuddy:byte-buddy | 1.14.10 | 间接依赖 | maven |
| org.slf4j:jcl-over-slf4j | 1.7.33 | 间接依赖 | maven |
| org.yaml:snakeyaml | 2.0 | 间接依赖 | maven |
| org.apache.hadoop:hadoop-hdfs | 3.2.4 | 间接依赖 | maven |
| org.apache.curator:curator-framework | 2.13.0 | 间接依赖 | maven |
| net.bytebuddy:byte-buddy-agent | 1.14.10 | 间接依赖 | maven |
| io.netty:netty-transport | 4.1.94.Final | 间接依赖 | maven |
| org.apache.tinkerpop:gremlin-language | 3.7.1 | 间接依赖 | maven |
| org.apache.commons:commons-lang3 | 3.9 | 间接依赖 | maven |
| io.opentelemetry:opentelemetry-semconv | 1.15.0-alpha | 间接依赖 | maven |
| com.squareup:javapoet | 1.13.0 | 间接依赖 | maven |
| org.eclipse.jetty:jetty-util | 9.4.43.v20210629 | 间接依赖 | maven |
| org.apache.yetus:audience-annotations | 0.13.0 | 间接依赖 | maven |
| org.apache.hbase.thirdparty:hbase-shaded-protobuf | 4.1.5 | 间接依赖 | maven |
| io.netty:netty-transport-classes-epoll | 4.1.94.Final | 间接依赖 | maven |
| com.carrotsearch:hppc | 0.7.1 | 间接依赖 | maven |
| org.mockito:mockito-core | 5.8.0 | 直接依赖 | maven |
| org.eclipse.jetty:jetty-http | 9.4.43.v20210629 | 间接依赖 | maven |
| org.apache.commons:commons-configuration2 | 2.9.0 | 间接依赖 | maven |
| io.netty:netty-transport-native-unix-common | 4.1.94.Final | 间接依赖 | maven |
| commons-beanutils:commons-beanutils | 1.9.4 | 间接依赖 | maven |
| org.eclipse.jetty:jetty-io | 9.4.43.v20210629 | 间接依赖 | maven |
| org.jruby.jcodings:jcodings | 1.0.55 | 间接依赖 | maven |
| org.apache.hbase:hbase-metrics | 2.5.7-hadoop3 | 间接依赖 | maven |
| io.opentelemetry:opentelemetry-api | 1.15.0 | 间接依赖 | maven |
| org.apache.hbase.thirdparty:hbase-shaded-gson | 4.1.5 | 间接依赖 | maven |
| org.apache.hadoop:hadoop-auth | 3.2.4 | 间接依赖 | maven |
| org.apache.hbase:hbase-metrics-api | 2.5.7-hadoop3 | 间接依赖 | maven |
| org.xerial.snappy:snappy-java | 1.1.10.4 | 间接依赖 | maven |
| io.netty:netty-buffer | 4.1.94.Final | 间接依赖 | maven |
| net.objecthunter:exp4j | 0.4.8 | 间接依赖 | maven |
| org.eclipse.jetty:jetty-server | 9.4.43.v20210629 | 间接依赖 | maven |
| commons-collections:commons-collections | 3.2.2 | 间接依赖 | maven |
| org.conscrypt:conscrypt-openjdk-uber | 2.5.2 | 间接依赖 | maven |
| io.netty:netty-resolver | 4.1.94.Final | 间接依赖 | maven |
| io.netty:netty-handler | 4.1.94.Final | 间接依赖 | maven |
| org.apache.hbase:hbase-hadoop2-compat | 2.5.7-hadoop3 | 间接依赖 | maven |
| org.apache.hbase:hbase-asyncfs | 2.5.7-hadoop3 | 间接依赖 | maven |
| commons-daemon:commons-daemon | 1.0.13 | 间接依赖 | maven |
| com.esotericsoftware:reflectasm | 1.11.9 | 间接依赖 | maven |
| io.dropwizard.metrics:metrics-core | 3.2.6 | 间接依赖 | maven |
| org.apache.hbase:hbase-protocol-shaded | 2.5.7-hadoop3 | 间接依赖 | maven |
| com.nimbusds:nimbus-jose-jwt | 9.8.1 | 间接依赖 | maven |
| io.opentelemetry:opentelemetry-context | 1.15.0 | 间接依赖 | maven |
| org.apache.tinkerpop:gremlin-shaded | 3.7.1 | 间接依赖 | maven |
| javax.activation:javax.activation-api | 1.2.0 | 间接依赖 | maven |
| com.esotericsoftware:kryo | 5.6.0 | 直接依赖 | maven |
| commons-io:commons-io | 2.11.0 | 间接依赖 | maven |
| org.apache.hbase:hbase-hadoop-compat | 2.5.7-hadoop3 | 间接依赖 | maven |
| org.javatuples:javatuples | 1.2 | 间接依赖 | maven |