基础信息
项目名称:arthur-ai/bench
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1716049871961374720/1716049872217227264
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| NumPy 代码问题漏洞 | 空指针取消引用 | MPS-2021-32278 | CVE-2021-41495 | 中危 |
| httpx 存在输入验证不恰当漏洞 | 输入验证不恰当 | MPS-2022-14944 | 中危 | |
| mpmath 存在ReDoS漏洞 | ReDoS | MPS-2022-14993 | 中危 | |
| urllib3 安全漏洞 | 未授权敏感信息泄露 | MPS-46py-nxai | CVE-2023-45803 | 中危 |
| PyPI仓库charset-normalizer组件包内嵌恶意代码 | 内嵌恶意代码 | MPS-67h0-j1fr | 高危 | |
| LangChain 代码注入漏洞 | 代码注入 | MPS-7jdv-a49n | CVE-2023-36281 | 严重 |
| Requests Proxy-Authorization 标头泄露漏洞 | 未授权敏感信息泄露 | MPS-hr61-tzey | CVE-2023-32681 | 中危 |
| urllib3 HTTP重定向信息泄露漏洞 | 未授权敏感信息泄露 | MPS-s0oy-afbw | CVE-2023-43804 | 高危 |
| langchain注入漏洞 | 注入 | MPS-x9qb-uct8 | CVE-2023-39659 | 严重 |
| LangChain 安全漏洞 | 代码注入 | MPS-ze2c-1nou | CVE-2023-39631 | 严重 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| charset-normalizer | 3.2.0 | 间接依赖 | 强烈建议修复 | |
| requests | 2.28.2 | 2.31.0 | 间接依赖 | 建议修复 |
| langchain | 0.0.264 | 0.0.312 | 间接依赖 | 建议修复 |
| urllib3 | 1.26.16 | 2.0.7 | 间接依赖 | 建议修复 |
| mpmath | 1.3.0 | 间接依赖 | 可选修复 | |
| numpy | 1.25.2 | 间接依赖 | 可选修复 | |
| httpx | 0.24.1 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| 自定义许可证 | 15 | 低 |
| Unlicense | 2 | 低 |
| BSD-3-Clause | 5 | 低 |
| MIT | 24 | 低 |
| Apache-2.0 | 17 | 低 |
| ISC | 1 | 低 |
| HPND | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| sentencepiece | 0.1.99 | 间接依赖 | pip |
| kiwisolver | 1.4.4 | 间接依赖 | pip |
| fonttools | 4.42.0 | 间接依赖 | pip |
| dataclasses-json | 0.5.14 | 间接依赖 | pip |
| Jinja2 | 3.1.2 | 间接依赖 | pip |
| greenlet | 2.0.2 | 间接依赖 | pip |
| regex | 2023.8.8 | 间接依赖 | pip |
| Annotated | 间接依赖 | pip | |
| marshmallow | 3.20.1 | 间接依赖 | pip |
| contourpy | 1.1.0 | 间接依赖 | pip |
| async-timeout | 4.0.3 | 间接依赖 | pip |
| zipp | 3.16.2 | 间接依赖 | pip |
| requests | 2.28.2 | 间接依赖 | pip |
| pyphen | 0.14.0 | 间接依赖 | pip |
| tiktoken | 0.4.0 | 间接依赖 | pip |
| UserValueError | 间接依赖 | pip | |
| TestSuiteRequest | 间接依赖 | pip | |
| MOCK_RUN_JSON | 间接依赖 | pip | |
| PaginatedTestSuite | 间接依赖 | pip | |
| NotFoundError | 间接依赖 | pip | |
| networkx | 3.1 | 间接依赖 | pip |
| typing-inspect | 0.9.0 | 间接依赖 | pip |
| langsmith | 0.0.22 | 间接依赖 | pip |
| frozenlist | 1.4.0 | 间接依赖 | pip |
| huggingface-hub | 0.16.4 | 间接依赖 | pip |
| pyparsing | 3.0.9 | 间接依赖 | pip |
| pytest-cov | 4.1.0 | 间接依赖 | pip |
| nltk | 3.8.1 | 间接依赖 | pip |
| filelock | 3.12.2 | 间接依赖 | pip |
| Mock | 间接依赖 | pip | |
| myst_parser | 2.0.0 | 间接依赖 | pip |
| SQLAlchemy | 2.0.19 | 间接依赖 | pip |
| attrs | 23.1.0 | 间接依赖 | pip |
| idna | 3.4 | 间接依赖 | pip |
| Union | 间接依赖 | pip | |
| matplotlib | 3.7.2 | 间接依赖 | pip |
| transformers | 4.29.2 | 间接依赖 | pip |
| sphinx | 7.1.2 | 间接依赖 | pip |
| tokenizers | 0.13.3 | 间接依赖 | pip |
| amplitude-analytics | 1.1.1 | 间接依赖 | pip |
| pydantic | 1.10.12 | 间接依赖 | pip |
| langchain | 0.0.264 | 间接依赖 | pip |
| Optional | 间接依赖 | pip | |
| requests-toolbelt | 1.0.0 | 间接依赖 | pip |
| torch | 2.0.1 | 间接依赖 | pip |
| Dict | 间接依赖 | pip | |
| yarl | 1.9.2 | 间接依赖 | pip |
| tqdm | 4.65.2 | 间接依赖 | pip |
| bert-score | 0.3.13 | 间接依赖 | pip |
| sympy | 1.12 | 间接依赖 | pip |
| pandas | 2.0.3 | 间接依赖 | pip |
| aiohttp | 3.8.5 | 间接依赖 | pip |
| tenacity | 8.2.3 | 间接依赖 | pip |
| fastapi | 0.99.1 | 间接依赖 | pip |
| PyYAML | 6.0.1 | 间接依赖 | pip |
| importlib-resources | 6.0.1 | 间接依赖 | pip |
| aiosignal | 1.3.1 | 间接依赖 | pip |
| multidict | 6.0.4 | 间接依赖 | pip |
| MOCK_RUN | 间接依赖 | pip | |
| tzdata | 2023.3 | 间接依赖 | pip |
| packaging | 23.1 | 间接依赖 | pip |
| List | 间接依赖 | pip | |
| pytz | 2023.3 | 间接依赖 | pip |
| CreateRunRequest | 间接依赖 | pip | |
| user_login | 间接依赖 | pip | |
| urllib3 | 1.26.16 | 间接依赖 | pip |
| Tuple | 间接依赖 | pip | |
| evaluate | 0.4.0 | 间接依赖 | pip |
| cycler | 0.11.0 | 间接依赖 | pip |
| httpx | 0.24.1 | 间接依赖 | pip |
| sphinx-copybutton | 0.5.2 | 间接依赖 | pip |
| furo | 2023.7.26 | 间接依赖 | pip |
| numpy | 1.25.2 | 间接依赖 | pip |
| duckdb | 0.8.1 | 间接依赖 | pip |
| wordfreq | 3.0.3 | 间接依赖 | pip |
| exceptiongroup | 1.1.2 | 间接依赖 | pip |
| mypy-extensions | 1.0.0 | 间接依赖 | pip |
| bert_score | 间接依赖 | pip | |
| MarkupSafe | 2.1.3 | 间接依赖 | pip |
| openai | 0.27.0 | 间接依赖 | pip |
| pytest | 7.3.1 | 间接依赖 | pip |
| python-dateutil | 2.8.2 | 间接依赖 | pip |
| MagicMock | 间接依赖 | pip | |
| patch | 间接依赖 | pip | |
| certifi | 2023.7.22 | 间接依赖 | pip |
| six | 1.16.0 | 间接依赖 | pip |
| Pillow | 10.0.0 | 间接依赖 | pip |
| TestCaseRequest | 间接依赖 | pip | |
| textstat | 0.7.3 | 间接依赖 | pip |
| arthur_bench | 间接依赖 | pip | |
| PyJWT | 2.8.0 | 间接依赖 | pip |
| MissingParameterError | 间接依赖 | pip | |
| openapi-schema-pydantic | 1.2.4 | 间接依赖 | pip |
| fsspec | 2023.6.0 | 间接依赖 | pip |
| numexpr | 2.8.5 | 间接依赖 | pip |
| typing_extensions | 4.7.1 | 间接依赖 | pip |
| mpmath | 1.3.0 | 间接依赖 | pip |
| charset-normalizer | 3.2.0 | 间接依赖 | pip |
| get_current_org | 间接依赖 | pip |