基础信息
项目名称:meteoinfo/MeteoInfo
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1758545440627986432/1758545440686706688
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Junit 信息泄露漏洞 | 不安全的临时文件 | MPS-2020-15183 | CVE-2020-15250 | 中危 |
| Guava | 创建拥有不安全权限的临时文件 | MPS-mfku-xzh3 | CVE-2023-2976 | 中危 |
| 【存在争议】FasterXML jackson-databind 代码问题漏洞 | 不加限制或调节的资源分配 | MPS-z1bx-p8y2 | CVE-2023-35116 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| com.fasterxml.jackson.core:jackson-databind | 2.15.1 | 2.16.0 | 直接依赖 | 建议修复 |
| com.google.guava:guava | 31.1-jre | 32.0.0-jre | 直接依赖 | 可选修复 |
| junit:junit | 4.10 | 4.13.1 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 55 | 低 |
| GPL-2.0 | 6 | 中 |
| GPL-3.0 | 4 | 中 |
| MIT | 9 | 低 |
| AGPL-3.0 | 1 | 高 |
| BSD-3-Clause | 5 | 低 |
| LGPL-2.0 | 4 | 中 |
| LGPL-3.0 | 11 | 中 |
| CPL-1.0 | 1 | 低 |
| BSD-2-Clause | 6 | 低 |
| LGPL-2.1-or-later | 2 | 低 |
| MPL-1.1 | 1 | 低 |
| EPL-2.0 | 1 | 低 |
| GPL-2.0-with-classpath-exception | 1 | 中 |
| PSF-2.0 | 1 | 低 |
| EDL-1.0 | 1 | 低 |
| EPL-1.0 | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| org.ejml:ejml-ddense | 0.41.1 | 间接依赖 | maven |
| org.bytedeco:openblas-platform | 0.3.10-1.5.4 | 直接依赖 | maven |
| org.slf4j:slf4j-simple | 1.7.25 | 直接依赖 | maven |
| org.apache.commons:commons-numbers-combinatorics | 1.1 | 直接依赖 | maven |
| com.formdev:flatlaf | 3.3 | 直接依赖 | maven |
| org.meteothink:meteoinfo-ndarray | 3.7.9 | 直接依赖 | maven |
| mipylib | 间接依赖 | pip | |
| com.google.errorprone:error_prone_annotations | 2.11.0 | 间接依赖 | maven |
| dataframe | 间接依赖 | pip | |
| com.itextpdf:itextpdf | 5.5.13.3 | 直接依赖 | maven |
| org.ojalgo:ojalgo | 52.0.1 | 直接依赖 | maven |
| org.apache.commons:commons-lang3 | 3.12.0 | 直接依赖 | maven |
| org.scilab.forge:jlatexmath-font-cyrillic | 1.0.7 | 间接依赖 | maven |
| org.apache.commons:commons-imaging | 1.0-alpha3 | 直接依赖 | maven |
| com.fifesoft:rsyntaxtextarea | 3.3.2 | 直接依赖 | maven |
| org.freehep:freehep-graphicsio-emf | 2.4 | 直接依赖 | maven |
| com.google.j2objc:j2objc-annotations | 1.3 | 间接依赖 | maven |
| org.apache.commons:commons-numbers-rootfinder | 1.1 | 间接依赖 | maven |
| org.freehep:freehep-graphics2d | 2.4 | 直接依赖 | maven |
| org.hamcrest:hamcrest-core | 1.1 | 间接依赖 | maven |
| org.freehep:freehep-io | 2.2.2 | 间接依赖 | maven |
| org.locationtech.proj4j:proj4j | 1.3.0 | 直接依赖 | maven |
| com.fifesoft:autocomplete | 3.3.0 | 直接依赖 | maven |
| org.meteothink:meteoinfo-common | 3.7.9 | 直接依赖 | maven |
| junit:junit | 4.10 | 间接依赖 | maven |
| org.bytedeco:mkl-platform | 2020.3-1.5.4 | 直接依赖 | maven |
| numeric | 间接依赖 | pip | |
| org.jogamp.gluegen:gluegen-rt-main | 2.5.0 | 直接依赖 | maven |
| org.meteothink:meteoinfo-data | 3.7.9 | 直接依赖 | maven |
| de.sciss:docking-frames-common | 2.0.0 | 直接依赖 | maven |
| org.ejml:ejml-cdense | 0.41.1 | 间接依赖 | maven |
| org.apache.commons:commons-math4-legacy-exception | 4.0-beta1 | 间接依赖 | maven |
| scipy | 间接依赖 | pip | |
| org.apache.commons:commons-math4-legacy | 4.0-beta1 | 直接依赖 | maven |
| com.twelvemonkeys.common:common-image | 3.9.4 | 间接依赖 | maven |
| org.freehep:freehep-util | 2.0.2 | 直接依赖 | maven |
| org.apache.commons:commons-numbers-quaternion | 1.1 | 间接依赖 | maven |
| us.hebi.matlab.mat:mfl-core | 0.5.15 | 直接依赖 | maven |
| com.fasterxml.jackson.core:jackson-annotations | 2.15.1 | 直接依赖 | maven |
| org.ejml:ejml-zdense | 0.41.1 | 间接依赖 | maven |
| com.github.weisj:jsvg | 1.2.0 | 间接依赖 | maven |
| org.meteothink:meteoinfo-table | 3.7.9 | 直接依赖 | maven |
| com.github.albfernandez:juniversalchardet | 2.4.0 | 直接依赖 | maven |
| com.twelvemonkeys.common:common-io | 3.9.4 | 间接依赖 | maven |
| com.google.guava:listenablefuture | 9999.0-empty-to-avoid-conflict-with-guava | 间接依赖 | maven |
| nested | 间接依赖 | pip | |
| org.meteothink:meteoinfo-ui | 3.7.9 | 直接依赖 | maven |
| destag | 间接依赖 | pip | |
| org.apache.commons:commons-numbers-arrays | 1.1 | 直接依赖 | maven |
| org.meteothink:meteoinfo-math | 3.7.9 | 直接依赖 | maven |
| org.meteothink:meteoinfo-console | 3.7.9 | 直接依赖 | maven |
| org.apache.commons:commons-math4-core | 4.0-beta1 | 间接依赖 | maven |
| org.meteothink:meteoinfo-projection | 3.7.9 | 直接依赖 | maven |
| jakarta.annotation:jakarta.annotation-api | 2.1.0 | 直接依赖 | maven |
| org.meteothink:meteoinfo-geo | 3.7.9 | 直接依赖 | maven |
| org.apache.commons:commons-numbers-field | 1.1 | 直接依赖 | maven |
| org.bytedeco:mkl | 2020.3-1.5.4 | 间接依赖 | maven |
| org.apache.commons:commons-rng-core | 1.5 | 直接依赖 | maven |
| org.scilab.forge:jlatexmath-font-greek | 1.0.7 | 间接依赖 | maven |
| com.twelvemonkeys.imageio:imageio-metadata | 3.9.4 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-core | 2.15.1 | 间接依赖 | maven |
| org.apache.commons:commons-compress | 1.21 | 直接依赖 | maven |
| org.freehep:freehep-graphicsio-pdf | 2.4 | 直接依赖 | maven |
| org.freehep:freehep-graphicsio-ps | 2.4 | 直接依赖 | maven |
| org.meteothink:wContour | 1.7.1 | 直接依赖 | maven |
| org.apache.commons:commons-numbers-complex | 1.1 | 间接依赖 | maven |
| org.joml:joml | 1.10.5 | 直接依赖 | maven |
| org.ejml:ejml-fsparse | 0.41.1 | 间接依赖 | maven |
| org.python:jython-standalone | 2.7.3 | 直接依赖 | maven |
| com.formdev:flatlaf-extras | 3.3 | 直接依赖 | maven |
| commons-io:commons-io | 2.11.0 | 直接依赖 | maven |
| org.locationtech.jts:jts-core | 1.19.0 | 直接依赖 | maven |
| org.apache.commons:commons-rng-client-api | 1.5 | 直接依赖 | maven |
| org.apache.commons:commons-numbers-angle | 1.1 | 间接依赖 | maven |
| com.l2fprod:l2fprod-common-all | 6.9.1 | 直接依赖 | maven |
| org.apache.commons:commons-numbers-fraction | 1.1 | 间接依赖 | maven |
| org.apache.commons:commons-numbers-gamma | 1.1 | 直接依赖 | maven |
| org.ejml:ejml-core | 0.41.1 | 间接依赖 | maven |
| find_common_type | 间接依赖 | pip | |
| the | 间接依赖 | pip | |
| org.apache.commons:commons-math4-legacy-core | 4.0-beta1 | 间接依赖 | maven |
| com.fasterxml.jackson.core:jackson-databind | 2.15.1 | 直接依赖 | maven |
| org.bytedeco:javacpp-platform | 1.5.4 | 直接依赖 | maven |
| org.meteothink:meteoinfo-geometry | 3.7.9 | 直接依赖 | maven |
| interpolate | 间接依赖 | pip | |
| org.bytedeco:javacpp | 1.5.4 | 间接依赖 | maven |
| org.ejml:ejml-fdense | 0.41.1 | 间接依赖 | maven |
| data | 间接依赖 | pip | |
| org.meteothink:meteoinfo-dataframe | 3.7.9 | 直接依赖 | maven |
| com.google.guava:guava | 31.1-jre | 直接依赖 | maven |
| org.meteothink:meteoinfo-ui | 3.1.6 | 直接依赖 | maven |
| ScalarType | 间接依赖 | pip | |
| org.ejml:ejml-experimental | 0.41.1 | 直接依赖 | maven |
| org.freehep:freehep-graphicsio | 2.4 | 间接依赖 | maven |
| Axes | 间接依赖 | pip | |
| com.toedter:jcalendar | 1.4 | 直接依赖 | maven |
| com.google.guava:failureaccess | 1.0.1 | 间接依赖 | maven |
| org.ejml:ejml-dsparse | 0.41.1 | 间接依赖 | maven |
| org.freehep:freehep-graphicsio-tests | 2.4 | 间接依赖 | maven |
| com.google.code.findbugs:jsr305 | 3.0.2 | 间接依赖 | maven |
| com.twelvemonkeys.imageio:imageio-jpeg | 3.9.4 | 直接依赖 | maven |
| de.sciss:docking-frames-core | 2.0.0 | 直接依赖 | maven |
| org.meteothink:meteoinfo-image | 3.7.9 | 直接依赖 | maven |
| an | 间接依赖 | pip | |
| org.scilab.forge:jlatexmath | 1.0.7 | 直接依赖 | maven |
| org.apache.commons:commons-numbers-core | 1.1 | 直接依赖 | maven |
| org.ejml:ejml-simple | 0.41.1 | 直接依赖 | maven |
| org.bytedeco:mkl-platform-redist | 2020.3-1.5.4 | 直接依赖 | maven |
| org.jogamp.jogl:jogl-all-main | 2.5.0 | 直接依赖 | maven |
| org.meteothink:meteoinfo-geo | 3.1.6 | 直接依赖 | maven |
| org | 间接依赖 | pip | |
| org.bytedeco:openblas | 0.3.10-1.5.4 | 间接依赖 | maven |
| edu.ucar:netcdfAll | 5.5.4-SNAPSHOT | 直接依赖 | maven |
| org.apache.commons:commons-statistics-distribution | 1.0 | 直接依赖 | maven |
| PolarAxes | 间接依赖 | pip | |
| org.apache.commons:commons-rng-sampling | 1.5 | 间接依赖 | maven |
| org.meteothink:meteoinfo-chart | 3.7.9 | 直接依赖 | maven |
| org.freehep:freehep-graphicsbase | 2.4 | 间接依赖 | maven |
| util | 间接依赖 | pip | |
| org.apache.commons:commons-rng-simple | 1.5 | 直接依赖 | maven |
| org.checkerframework:checker-qual | 3.12.0 | 间接依赖 | maven |
| net.sf.geographiclib:GeographicLib-Java | 2.0 | 直接依赖 | maven |