基础信息
项目名称:arthurgregorio/web-budget
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1716050090828546048/1716050091067621376
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Apache Commons Beanutils 存在不可信数据的反序列化漏洞 | 反序列化 | MPS-2019-10233 | CVE-2019-10086 | 高危 |
| Apache Shiro | 身份验证不当 | MPS-2020-11767 | CVE-2020-13933 | 高危 |
| Google Guava 访问控制错误漏洞 | 关键资源权限分配不当 | MPS-2020-17429 | CVE-2020-8908 | 低危 |
| Apache Commons Configuration 存在 RCE 漏洞 | 代码注入 | MPS-2020-3836 | CVE-2020-1953 | 严重 |
| Apache Shiro 授权问题漏洞 | 使用基本弱点进行的认证绕过 | MPS-2020-4560 | CVE-2020-1957 | 严重 |
| Apache Shiro 存在身份验证绕过漏洞 | 身份验证不当 | MPS-2020-9344 | CVE-2020-11989 | 严重 |
| Apache Shiro 访问控制错误漏洞 | 身份验证不当 | MPS-2021-1064 | CVE-2020-17523 | 严重 |
| JetBrains Kotlin | 缺省权限不正确 | MPS-2021-1082 | CVE-2020-29582 | 中危 |
| Apache Shiro 存在身份验证绕过 | 身份验证不当 | MPS-2021-32074 | CVE-2021-41303 | 严重 |
| org.primefaces:primefaces 存在跨站脚本漏洞 | XSS | MPS-2022-11858 | 中危 | |
| org.apache.shiro:shiro-web 存在路径遍历漏洞 | 路径遍历 | MPS-2022-11870 | 中危 | |
| org.primefaces:primefaces 存在跨站脚本漏洞 | XSS | MPS-2022-11877 | 中危 | |
| org.primefaces:primefaces 存在跨站脚本漏洞 | XSS | MPS-2022-12078 | 中危 | |
| org.primefaces:primefaces 存在跨站脚本漏洞 | XSS | MPS-2022-12202 | 中危 | |
| org.primefaces:primefaces 存在跨站脚本漏洞 | XSS | MPS-2022-12227 | 中危 | |
| Apache Shiro 权限绕过漏洞 | 授权检查错误 | MPS-2022-17602 | CVE-2022-32532 | 中危 |
| Apache Commons Configuration 任意代码执行漏洞 | 表达式语言注入 | MPS-2022-19214 | CVE-2022-33980 | 中危 |
| JetBrains Kotlin | 加锁机制不恰当 | MPS-2022-3233 | CVE-2022-24329 | 中危 |
| Apache Shiro | 授权检查错误 | MPS-2022-56931 | CVE-2022-40664 | 严重 |
| Apache Commons Text | 反序列化 | MPS-2022-59712 | CVE-2022-42889 | 严重 |
| Apache Shiro | 解释冲突 | MPS-2023-0169 | CVE-2023-22602 | 中危 |
| Okio 安全漏洞 | 数值类型间的不正确转换 | MPS-a2tx-d4fb | CVE-2023-3635 | 高危 |
| Apache Shiro 身份验证绕过漏洞 | 路径遍历 | MPS-i2ro-tb93 | CVE-2023-34478 | 严重 |
| Guava | 创建拥有不安全权限的临时文件 | MPS-mfku-xzh3 | CVE-2023-2976 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| org.apache.shiro:shiro-web | 1.4.2 | 2.0.0-alpha-3 | 间接依赖 | 建议修复 |
| com.squareup.okio:okio | 2.7.0 | 3.4.0 | 间接依赖 | 建议修复 |
| commons-beanutils:commons-beanutils | 1.9.3 | 1.9.4 | 间接依赖 | 建议修复 |
| org.apache.shiro:shiro-core | 1.4.2 | 1.9.1 | 间接依赖 | 建议修复 |
| org.apache.commons:commons-configuration2 | 2.5 | 2.8 | 间接依赖 | 建议修复 |
| org.apache.commons:commons-text | 1.6 | 1.10.0 | 间接依赖 | 建议修复 |
| com.google.guava:guava | 30.0-android | 32.0.0-jre | 直接依赖 | 建议修复 |
| org.primefaces:primefaces | 8.0 | 直接依赖 | 可选修复 | |
| org.jetbrains.kotlin:kotlin-stdlib | 1.3.72 | 1.6.0 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 49 | 低 |
| MIT | 3 | 低 |
| CC-BY-3.0 | 1 | 低 |
| CDDL-1.1 | 1 | 低 |
| LGPL-2.1-or-later | 1 | 低 |
| 自定义许可证 | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| com.google.errorprone:error_prone_annotations | 2.3.4 | 间接依赖 | maven |
| org.apache.shiro:shiro-crypto-core | 1.4.2 | 间接依赖 | maven |
| com.google.guava:guava | 30.0-android | 直接依赖 | maven |
| org.apache.deltaspike.modules:deltaspike-partial-bean-module-impl | 1.9.4 | 间接依赖 | maven |
| com.google.code.findbugs:jsr305 | 3.0.2 | 间接依赖 | maven |
| org.jetbrains:annotations | 13.0 | 间接依赖 | maven |
| org.apache.shiro:shiro-lang | 1.4.2 | 间接依赖 | maven |
| org.apache.deltaspike.modules:deltaspike-partial-bean-module-api | 1.9.4 | 间接依赖 | maven |
| commons-collections:commons-collections | 3.2.2 | 间接依赖 | maven |
| org.apache.shiro:shiro-crypto-hash | 1.4.2 | 间接依赖 | maven |
| org.apache.deltaspike.core:deltaspike-core-api | 1.9.4 | 间接依赖 | maven |
| org.jetbrains.kotlin:kotlin-stdlib | 1.3.72 | 间接依赖 | maven |
| org.apache.shiro:shiro-config-core | 1.4.2 | 间接依赖 | maven |
| org.apache.deltaspike.core:deltaspike-core-impl | 1.9.4 | 间接依赖 | maven |
| org.apache.deltaspike.modules:deltaspike-proxy-module-impl-asm | 1.9.4 | 间接依赖 | maven |
| com.squareup.okio:okio | 2.7.0 | 间接依赖 | maven |
| io.github.openfeign:feign-core | 10.10.0 | 直接依赖 | maven |
| org.apache.commons:commons-configuration2 | 2.5 | 间接依赖 | maven |
| commons-beanutils:commons-beanutils | 1.9.3 | 间接依赖 | maven |
| br.eti.arthurgregorio:shiro-ee | 1.5.1 | 直接依赖 | maven |
| org.primefaces:primefaces | 8.0 | 直接依赖 | maven |
| org.webjars:font-awesome | 5.10.1 | 直接依赖 | maven |
| org.apache.deltaspike.modules:deltaspike-data-module-impl | 1.9.4 | 直接依赖 | maven |
| org.primefaces.extensions:primefaces-extensions | 8.0.4 | 直接依赖 | maven |
| org.apache.deltaspike.modules:deltaspike-proxy-module-api | 1.9.4 | 间接依赖 | maven |
| br.com.caelum.stella:caelum-stella-core | 2.1.3 | 直接依赖 | maven |
| org.apache.commons:commons-lang3 | 3.10 | 直接依赖 | maven |
| org.checkerframework:checker-compat-qual | 2.5.5 | 间接依赖 | maven |
| com.google.j2objc:j2objc-annotations | 1.3 | 间接依赖 | maven |
| javax.xml.bind:jaxb-api | 2.3.1 | 直接依赖 | maven |
| org.apache.shiro:shiro-ehcache | 1.4.1 | 间接依赖 | maven |
| org.apache.deltaspike.modules:deltaspike-jpa-module-impl | 1.9.4 | 直接依赖 | maven |
| org.apache.commons:commons-text | 1.6 | 间接依赖 | maven |
| org.flywaydb:flyway-core | 6.4.4 | 直接依赖 | maven |
| org.hibernate:hibernate-jpamodelgen | 5.3.17.Final | 直接依赖 | maven |
| com.github.spullara.mustache.java:compiler | 0.9.6 | 直接依赖 | maven |
| org.apache.shiro:shiro-event | 1.4.2 | 间接依赖 | maven |
| io.github.openfeign:feign-slf4j | 10.10.0 | 直接依赖 | maven |
| io.github.openfeign:feign-okhttp | 10.10.0 | 直接依赖 | maven |
| org.apache.shiro:shiro-cache | 1.4.2 | 间接依赖 | maven |
| net.sf.ehcache:ehcache-core | 2.6.11 | 间接依赖 | maven |
| org.projectlombok:lombok | 1.18.12 | 直接依赖 | maven |
| org.apache.shiro:shiro-crypto-cipher | 1.4.2 | 间接依赖 | maven |
| org.apache.deltaspike.modules:deltaspike-jpa-module-api | 1.9.4 | 直接依赖 | maven |
| org.jetbrains.kotlin:kotlin-stdlib-common | 1.3.70 | 间接依赖 | maven |
| org.apache.shiro:shiro-config-ogdl | 1.4.2 | 间接依赖 | maven |
| com.squareup.okhttp3:okhttp | 4.8.1 | 直接依赖 | maven |
| org.apache.deltaspike.modules:deltaspike-data-module-api | 1.9.4 | 直接依赖 | maven |
| com.google.guava:listenablefuture | 9999.0-empty-to-avoid-conflict-with-guava | 间接依赖 | maven |
| commons-logging:commons-logging | 1.2 | 间接依赖 | maven |
| com.google.guava:failureaccess | 1.0.1 | 间接依赖 | maven |
| io.github.openfeign:feign-jackson | 10.10.0 | 直接依赖 | maven |
| org.omnifaces:omnifaces | 3.7.1 | 直接依赖 | maven |
| de.svenkubiak:jBCrypt | 0.4.1 | 间接依赖 | maven |
| org.apache.shiro:shiro-web | 1.4.2 | 间接依赖 | maven |
| org.apache.shiro:shiro-core | 1.4.2 | 间接依赖 | maven |