基础信息
项目名称:cloudberrydb/cloudberrydb
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1769559125032189952/1769600010100948992
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| PostgreSQL 缓冲区错误漏洞 | 越界写入 | MPS-2019-7109 | CVE-2019-10164 | 高危 |
| PostgreSQL 加密问题漏洞 | 密码算法不安全 | MPS-2020-16817 | CVE-2020-25694 | 高危 |
| Python-RSA 加密问题漏洞 | 隐蔽时间通道 | MPS-2020-16939 | CVE-2020-25658 | 中危 |
| PostgreSQL 安全漏洞 | 特权上下文切换错误 | MPS-2020-17359 | CVE-2020-25696 | 高危 |
| httplib2 注入漏洞 | CRLF注入 | MPS-2020-7623 | CVE-2020-11078 | 中危 |
| Python-RSA 加密问题漏洞 | 密码算法不安全 | MPS-2020-7995 | CVE-2020-13757 | 高危 |
| python-cryptography 安全漏洞 | 隐蔽时间通道 | MPS-2021-0163 | CVE-2020-25659 | 中危 |
| httplib2 资源管理错误漏洞 | 拒绝服务 | MPS-2021-10429 | CVE-2021-21240 | 高危 |
| PostgreSQL 安全漏洞 | 凭证保护不足 | MPS-2021-35115 | CVE-2021-23222 | 中危 |
| httplib2 存在CRLF注入漏洞 | CRLF注入 | MPS-2022-14942 | 高危 | |
| Python 安全漏洞 | ReDoS | MPS-2022-57238 | CVE-2022-40897 | 中危 |
| PostgreSQL 存在内存泄露漏洞 | 内存泄漏 | MPS-2022-58489 | CVE-2022-41862 | 中危 |
| OpenSSL 安全漏洞 | 加锁机制不恰当 | MPS-2022-64591 | CVE-2022-3996 | 高危 |
| OpenSSL 缓冲区错误漏洞 | 越界读取 | MPS-2022-65756 | CVE-2022-4203 | 中危 |
| OpenSSL 安全漏洞 | 通过差异性导致的信息暴露 | MPS-2022-66954 | CVE-2022-4304 | 中危 |
| OpenSSL 资源管理错误漏洞 | 双重释放 | MPS-2022-67892 | CVE-2022-4450 | 高危 |
| OpenSSL 资源管理错误漏洞 | UAF | MPS-2023-1276 | CVE-2023-0215 | 高危 |
| OpenSSL 代码问题漏洞 | 空指针取消引用 | MPS-2023-1277 | CVE-2023-0216 | 高危 |
| OpenSSL 代码问题漏洞 | 空指针取消引用 | MPS-2023-1278 | CVE-2023-0217 | 高危 |
| OpenSSL 代码问题漏洞 | 空指针取消引用 | MPS-2023-2153 | CVE-2023-0401 | 高危 |
| cryptography 代码问题漏洞 | 对因果或异常条件的不恰当检查 | MPS-2023-2194 | CVE-2023-23931 | 中危 |
| OpenSSL 拒绝服务漏洞 | 对因果或异常条件的不恰当检查 | MPS-7ch0-so2p | CVE-2023-5678 | 中危 |
| OpenSSL 安全漏洞 | 过度迭代 | MPS-n3pe-ljgc | CVE-2023-3817 | 中危 |
| python-cryptography 信任管理问题漏洞 | 证书验证不恰当 | MPS-sj5m-20tf | CVE-2023-38325 | 高危 |
| python-cryptography 安全漏洞 | 通过时间差异性导致的信息暴露 | MPS-tf9k-xu02 | CVE-2023-50782 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| rsa | 4.0 | 4.7 | 间接依赖 | 建议修复 |
| libpq | 9.6.19 | 间接依赖 | 建议修复 | |
| cryptography | 2.8 | 间接依赖 | 建议修复 | |
| httplib2 | 0.16.0 | 0.19.0 | 间接依赖 | 建议修复 |
| setuptools | 34 | 65.5.1 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 24 | 低 |
| BSD-2-Clause | 5 | 低 |
| BSD-3-Clause | 1 | 低 |
| LGPL-3.0-only | 1 | 低 |
| Apache-2.0 | 11 | 低 |
| GPL-3.0 | 1 | 中 |
| PostgreSQL | 1 | 低 |
| LGPL-2.1 | 1 | 中 |
| Unlicense | 1 | 低 |
| 自定义许可证 | 5 | 低 |
| Python-2.0 | 2 | 低 |
| GPL-3.0-only | 1 | 低 |
| GPL-2.0-or-later | 1 | 低 |
| Apache-2.0 OR BSD-3-Clause | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| path | 间接依赖 | pip | |
| jaraco.packaging | 3.2 | 间接依赖 | pip |
| SocksiPy-branch | 1.01 | 间接依赖 | pip |
| GpAddMirrorsProgram | 间接依赖 | pip | |
| scandir | 1.10.0 | 间接依赖 | pip |
| StringIO | 间接依赖 | pip | |
| RemoveDirectory | 间接依赖 | pip | |
| when | 间接依赖 | pip | |
| check_values | 间接依赖 | pip | |
| call | 间接依赖 | pip | |
| OperationWorkerPool | 间接依赖 | pip | |
| oauth2client | 4.1.3 | 间接依赖 | pip |
| rsa | 4.0 | 间接依赖 | pip |
| manifest_maker | 间接依赖 | pip | |
| map | 间接依赖 | pip | |
| setuptools | 34 | 间接依赖 | pip |
| test_mark | 间接依赖 | pip | |
| http_client | 间接依赖 | pip | |
| connect | 间接依赖 | pip | |
| Segment | 间接依赖 | pip | |
| task | 间接依赖 | pip | |
| google_apitools | 0.5.30 | 间接依赖 | pip |
| then | 间接依赖 | pip | |
| PostgreSQL | 9.5.0 | 间接依赖 | perl |
| argcomplete | 1.11.1 | 间接依赖 | pip |
| GpArray | 间接依赖 | pip | |
| get_config_vars | 间接依赖 | pip | |
| gcs-oauth2-boto-plugin | 2.5 | 间接依赖 | pip |
| Command | 间接依赖 | pip | |
| DistutilsOptionError | 间接依赖 | pip | |
| six | 1.14.0 | 间接依赖 | pip |
| Popen | 间接依赖 | pip | |
| libpq | 9.6.19 | 间接依赖 | |
| google_reauth | 0.1.0 | 间接依赖 | pip |
| start_database_if_not_started | 间接依赖 | pip | |
| check_output | 间接依赖 | pip | |
| gpconfig_modules | 间接依赖 | pip | |
| geos | 间接依赖 | ||
| get_config_var | 间接依赖 | pip | |
| get_abi3_suffix | 间接依赖 | pip | |
| patch | 间接依赖 | pip | |
| retry_decorator | 1.1.0 | 间接依赖 | pip |
| PIDLockHeld | 间接依赖 | pip | |
| initialize | 间接依赖 | pip | |
| funcsigs | 1.0.2 | 间接依赖 | pip |
| get_path | 间接依赖 | pip | |
| PIDLockFile | 间接依赖 | pip | |
| canonical | 间接依赖 | pip | |
| rst.linker | 1.9 | 间接依赖 | pip |
| monotonic | 1.5 | 间接依赖 | pip |
| timedelta | 间接依赖 | pip | |
| mock | 2.0.0 | 间接依赖 | pip |
| product | 间接依赖 | pip | |
| ExecutionError | 间接依赖 | pip | |
| a | 间接依赖 | pip | |
| plpgsql | 间接依赖 | perl | |
| indirect2 | 间接依赖 | pip | |
| PIPE | 间接依赖 | pip | |
| given | 间接依赖 | pip | |
| pbr | 5.4.4 | 间接依赖 | pip |
| indirect1 | 间接依赖 | pip | |
| more-itertools | 8.1 | 间接依赖 | pip |
| contextlib2 | 0.6.0.post1 | 间接依赖 | pip |
| customize_compiler | 间接依赖 | pip | |
| starmap | 间接依赖 | pip | |
| pyasn1_modules | 0.2.8 | 间接依赖 | pip |
| commands | 间接依赖 | pip | |
| yaml | 间接依赖 | pip | |
| build_ext | 间接依赖 | pip | |
| test_emitter | 间接依赖 | pip | |
| MagicMock | 间接依赖 | pip | |
| gparray | 间接依赖 | pip | |
| recoveryinfo | 间接依赖 | pip | |
| importlib_metadata | 1.4.0 | 间接依赖 | pip |
| pylint | 间接依赖 | pip | |
| pkg_resources | 间接依赖 | pip | |
| line_reader | 间接依赖 | pip | |
| pyOpenSSL | 19.1.0 | 间接依赖 | pip |
| cloud_sptheme | 1.7.1 | 间接依赖 | pip |
| REMOTE | 间接依赖 | pip | |
| DistutilsError | 间接依赖 | pip | |
| error | 间接依赖 | pip | |
| FTS_PROBE_QUERY | 间接依赖 | pip | |
| PY_COMPILED | 间接依赖 | pip | |
| WorkerPool | 间接依赖 | pip | |
| zipp | 1.0.0 | 间接依赖 | pip |
| cryptography | 2.8 | 间接依赖 | pip |
| libpq | 间接依赖 | ||
| traceback2 | 1.4.0 | 间接依赖 | pip |
| pathlib2 | 2.3.5 | 间接依赖 | pip |
| TEST_local_base | 间接依赖 | pip | |
| PKG_DIRECTORY | 间接依赖 | pip | |
| DbURL | 间接依赖 | pip | |
| parse_type | 0.5.2 | 间接依赖 | pip |
| enum34 | 1.1.6 | 间接依赖 | pip |
| ProgramArgumentValidationException | 间接依赖 | pip | |
| linecache2 | 1.0.0 | 间接依赖 | pip |
| pycparser | 2.19 | 间接依赖 | pip |
| Mock | 间接依赖 | pip | |
| DistutilsFileError | 间接依赖 | pip | |
| gplog | 间接依赖 | pip | |
| RemoveFile | 间接依赖 | pip | |
| crcmod | 1.7 | 间接依赖 | pip |
| test_constructor | 间接依赖 | pip | |
| drop_database_if_exists | 间接依赖 | pip | |
| gppylib | 间接依赖 | pip | |
| gsutil | 4.47 | 间接依赖 | pip |
| KERNEL32.dll | 间接依赖 | ||
| logilab | 间接依赖 | pip | |
| fasteners | 0.15 | 间接依赖 | pip |
| pyu2f | 0.1.4 | 间接依赖 | pip |
| imports | 间接依赖 | pip | |
| parse | 1.14.0 | 间接依赖 | pip |
| configparser | 4.0.2 | 间接依赖 | pip |
| SegmentReconfigurer | 间接依赖 | pip | |
| _yaml | 间接依赖 | pip | |
| httplib2 | 0.16.0 | 间接依赖 | pip |
| cffi | 1.13.2 | 间接依赖 | pip |
| egg_info | 间接依赖 | pip | |
| pyasn1 | 0.4.8 | 间接依赖 | pip |
| boto | 2.49.0 | 间接依赖 | pip |