基础信息
项目名称:bahricanyesil/nodejs-starter-template
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1716212137168863232/1716212140683689984
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| MongoDB信息泄露漏洞 | 日志敏感信息泄露 | MPS-2021-24103 | CVE-2021-32050 | 高危 |
| node-semver 安全漏洞 | ReDoS | MPS-2022-5166 | CVE-2022-25883 | 高危 |
| xml2js 安全漏洞 | 原型污染 | MPS-2023-4673 | CVE-2023-0842 | 中危 |
| Automattic Mongoose 安全漏洞 | 原型污染 | MPS-rkw8-631m | CVE-2023-3696 | 严重 |
| fast-xml-parser 安全漏洞 | ReDoS | MPS-x6q9-lbdv | CVE-2023-34104 | 高危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| mongoose | 6.8.3 | 7.3.4 | 直接依赖 | 建议修复 |
| fast-xml-parser | 4.0.11 | 4.2.4 | 间接依赖 | 建议修复 |
| xml2js | 0.4.19 | 0.5.0 | 间接依赖 | 可选修复 |
| mongodb | 4.12.1 | 5.8.0 | 间接依赖 | 可选修复 |
| semver | 7.3.8 | 7.5.2 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 65 | 低 |
| MIT | 153 | 低 |
| BSD-3-Clause | 10 | 低 |
| ISC | 14 | 低 |
| Python-2.0 | 1 | 低 |
| BSD-2-Clause | 3 | 低 |
| 自定义许可证 | 1 | 低 |
| 0BSD | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| kareem | 2.5.1 | 间接依赖 | npm |
| aws-sdk | 2.1290.0 | 直接依赖 | npm |
| tr46 | 3.0.0 | 间接依赖 | npm |
| jmespath | 0.16.0 | 间接依赖 | npm |
| function-bind | 1.1.1 | 间接依赖 | npm |
| @sideway/address | 4.1.4 | 间接依赖 | npm |
| validator | 13.7.0 | 间接依赖 | npm |
| @aws-sdk/middleware-logger | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/util-utf8-node | 3.208.0 | 间接依赖 | npm |
| @aws-sdk/signature-v4 | 3.226.0 | 间接依赖 | npm |
| swagger-ui-dist | 4.15.5 | 间接依赖 | npm |
| side-channel | 1.0.4 | 间接依赖 | npm |
| @apidevtools/swagger-methods | 3.0.2 | 间接依赖 | npm |
| @aws-sdk/url-parser | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/util-base64 | 3.208.0 | 间接依赖 | npm |
| @aws-sdk/credential-provider-ini | 3.245.0 | 间接依赖 | npm |
| mongodb | 4.12.1 | 间接依赖 | npm |
| is-arguments | 1.1.1 | 间接依赖 | npm |
| inflight | 1.0.6 | 间接依赖 | npm |
| @aws-sdk/fetch-http-handler | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/credential-provider-web-identity | 3.226.0 | 间接依赖 | npm |
| statuses | 2.0.1 | 间接依赖 | npm |
| semver | 7.3.8 | 间接依赖 | npm |
| @aws-sdk/middleware-host-header | 3.226.0 | 间接依赖 | npm |
| rate-limiter-flexible | 2.4.1 | 直接依赖 | npm |
| multer | 1.4.5-lts.1 | 直接依赖 | npm |
| bytes | 3.1.2 | 间接依赖 | npm |
| argparse | 2.0.1 | 间接依赖 | npm |
| strnum | 1.0.5 | 间接依赖 | npm |
| memory-pager | 1.5.0 | 间接依赖 | npm |
| object-assign | 4.1.1 | 间接依赖 | npm |
| color-convert | 2.0.1 | 间接依赖 | npm |
| accepts | 1.3.8 | 间接依赖 | npm |
| readable-stream | 2.3.7 | 间接依赖 | npm |
| buffer-from | 1.1.2 | 间接依赖 | npm |
| debug | 2.6.9 | 间接依赖 | npm |
| color-name | 1.1.4 | 间接依赖 | npm |
| @aws-crypto/sha256-js | 2.0.0 | 间接依赖 | npm |
| supports-color | 7.2.0 | 间接依赖 | npm |
| fast-xml-parser | 4.0.11 | 间接依赖 | npm |
| cookie | 0.5.0 | 间接依赖 | npm |
| swagger-ui-express | 4.6.0 | 直接依赖 | npm |
| @types/webidl-conversions | 7.0.0 | 间接依赖 | npm |
| @aws-crypto/util | 2.0.2 | 间接依赖 | npm |
| vary | 1.1.2 | 间接依赖 | npm |
| webidl-conversions | 7.0.0 | 间接依赖 | npm |
| busboy | 1.6.0 | 间接依赖 | npm |
| @hapi/topo | 5.1.0 | 间接依赖 | npm |
| has-flag | 4.0.0 | 间接依赖 | npm |
| jws | 3.2.2 | 间接依赖 | npm |
| is-callable | 1.2.7 | 间接依赖 | npm |
| fresh | 0.5.2 | 间接依赖 | npm |
| @aws-sdk/middleware-endpoint | 3.226.0 | 间接依赖 | npm |
| mongoose | 6.8.3 | 直接依赖 | npm |
| cors | 2.8.5 | 直接依赖 | npm |
| path-is-absolute | 1.0.1 | 间接依赖 | npm |
| @aws-sdk/credential-provider-cognito-identity | 3.245.0 | 间接依赖 | npm |
| @aws-sdk/util-body-length-browser | 3.188.0 | 间接依赖 | npm |
| forwarded | 0.2.0 | 间接依赖 | npm |
| @aws-sdk/querystring-parser | 3.226.0 | 间接依赖 | npm |
| safe-buffer | 5.1.2 | 间接依赖 | npm |
| @aws-crypto/supports-web-crypto | 2.0.2 | 间接依赖 | npm |
| @aws-sdk/property-provider | 3.226.0 | 间接依赖 | npm |
| mime | 1.6.0 | 间接依赖 | npm |
| call-me-maybe | 1.0.2 | 间接依赖 | npm |
| array-uniq | 1.0.2 | 间接依赖 | npm |
| depd | 2.0.0 | 间接依赖 | npm |
| for-each | 0.3.3 | 间接依赖 | npm |
| compressible | 2.0.18 | 间接依赖 | npm |
| socks | 2.7.1 | 间接依赖 | npm |
| lazy | 1.0.11 | 间接依赖 | npm |
| @aws-sdk/middleware-user-agent | 3.226.0 | 间接依赖 | npm |
| jwa | 1.4.1 | 间接依赖 | npm |
| @aws-sdk/middleware-content-length | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/hash-node | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/client-sso-oidc | 3.245.0 | 间接依赖 | npm |
| mime-db | 1.52.0 | 间接依赖 | npm |
| express | 4.18.2 | 直接依赖 | npm |
| fd-slicer | 1.1.0 | 间接依赖 | npm |
| @aws-sdk/middleware-signing | 3.226.0 | 间接依赖 | npm |
| has | 1.0.3 | 间接依赖 | npm |
| call-bind | 1.0.2 | 间接依赖 | npm |
| send | 0.18.0 | 间接依赖 | npm |
| object-inspect | 1.12.2 | 间接依赖 | npm |
| lodash.get | 4.4.2 | 间接依赖 | npm |
| @aws-sdk/middleware-retry | 3.235.0 | 间接依赖 | npm |
| @aws-sdk/node-config-provider | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/querystring-builder | 3.226.0 | 间接依赖 | npm |
| tslib | 2.4.1 | 间接依赖 | npm |
| base64-js | 1.5.1 | 间接依赖 | npm |
| @aws-sdk/protocol-http | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/client-cognito-identity | 3.245.0 | 间接依赖 | npm |
| dotenv | 16.0.3 | 直接依赖 | npm |
| once | 1.4.0 | 间接依赖 | npm |
| streamsearch | 1.1.0 | 间接依赖 | npm |
| @types/json-schema | 7.0.11 | 间接依赖 | npm |
| saslprep | 1.0.3 | 间接依赖 | npm |
| @types/whatwg-url | 8.2.2 | 间接依赖 | npm |
| encodeurl | 1.0.2 | 间接依赖 | npm |
| z-schema | 5.0.5 | 间接依赖 | npm |
| @aws-sdk/credential-provider-process | 3.226.0 | 间接依赖 | npm |
| cookie-signature | 1.0.6 | 间接依赖 | npm |
| geoip-lite | 1.4.6 | 直接依赖 | npm |
| which-typed-array | 1.1.9 | 间接依赖 | npm |
| body-parser | 1.20.1 | 间接依赖 | npm |
| path-to-regexp | 0.1.7 | 间接依赖 | npm |
| basic-auth | 2.0.1 | 间接依赖 | npm |
| ip | 2.0.0 | 间接依赖 | npm |
| @aws-sdk/node-http-handler | 3.226.0 | 间接依赖 | npm |
| range-parser | 1.2.1 | 间接依赖 | npm |
| sparse-bitfield | 3.0.3 | 间接依赖 | npm |
| @aws-crypto/ie11-detection | 2.0.2 | 间接依赖 | npm |
| minimatch | 3.1.2 | 间接依赖 | npm |
| type-is | 1.6.18 | 间接依赖 | npm |
| buffer-equal-constant-time | 1.0.1 | 间接依赖 | npm |
| array-flatten | 1.1.1 | 间接依赖 | npm |
| is-typed-array | 1.1.10 | 间接依赖 | npm |
| @aws-sdk/util-middleware | 3.226.0 | 间接依赖 | npm |
| morgan | 1.10.0 | 直接依赖 | npm |
| @aws-sdk/credential-provider-env | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/types | 3.226.0 | 间接依赖 | npm |
| process-nextick-args | 2.0.1 | 间接依赖 | npm |
| @types/node | 18.11.18 | 间接依赖 | npm |
| mime-types | 2.1.35 | 间接依赖 | npm |
| ecdsa-sig-formatter | 1.0.11 | 间接依赖 | npm |
| buffer-crc32 | 0.2.13 | 间接依赖 | npm |
| @aws-sdk/shared-ini-file-loader | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/client-sso | 3.245.0 | 间接依赖 | npm |
| on-finished | 2.4.1 | 间接依赖 | npm |
| ansi-styles | 4.3.0 | 间接依赖 | npm |
| @aws-sdk/client-sts | 3.245.0 | 间接依赖 | npm |
| rimraf | 2.7.1 | 间接依赖 | npm |
| @aws-sdk/util-utf8-browser | 3.188.0 | 间接依赖 | npm |
| content-type | 1.0.4 | 间接依赖 | npm |
| sift | 16.0.1 | 间接依赖 | npm |
| http-errors | 2.0.0 | 间接依赖 | npm |
| openapi-types | 12.1.0 | 直接依赖 | npm |
| @aws-sdk/util-buffer-from | 3.208.0 | 间接依赖 | npm |
| content-disposition | 0.5.4 | 间接依赖 | npm |
| @aws-sdk/util-user-agent-node | 3.226.0 | 间接依赖 | npm |
| string_decoder | 1.1.1 | 间接依赖 | npm |
| xmlbuilder | 9.0.7 | 间接依赖 | npm |
| mongodb-connection-string-url | 2.6.0 | 间接依赖 | npm |
| utils-merge | 1.0.1 | 间接依赖 | npm |
| jsbn | 1.1.0 | 间接依赖 | npm |
| iconv-lite | 0.4.24 | 间接依赖 | npm |
| concat-map | 0.0.1 | 间接依赖 | npm |
| @jsdevtools/ono | 7.1.3 | 间接依赖 | npm |
| @aws-sdk/abort-controller | 3.226.0 | 间接依赖 | npm |
| safer-buffer | 2.1.2 | 间接依赖 | npm |
| util-deprecate | 1.0.2 | 间接依赖 | npm |
| @aws-sdk/middleware-sdk-sts | 3.226.0 | 间接依赖 | npm |
| available-typed-arrays | 1.0.5 | 间接依赖 | npm |
| doctrine | 3.0.0 | 间接依赖 | npm |
| merge-descriptors | 1.0.1 | 间接依赖 | npm |
| media-typer | 0.3.0 | 间接依赖 | npm |
| setprototypeof | 1.2.0 | 间接依赖 | npm |
| joi | 17.7.0 | 直接依赖 | npm |
| @apidevtools/json-schema-ref-parser | 9.1.0 | 间接依赖 | npm |
| xml2js | 0.4.19 | 间接依赖 | npm |
| glob | 7.2.3 | 间接依赖 | npm |
| fs.realpath | 1.0.0 | 间接依赖 | npm |
| @aws-sdk/util-defaults-mode-browser | 3.234.0 | 间接依赖 | npm |
| @aws-sdk/credential-provider-node | 3.245.0 | 间接依赖 | npm |
| typedarray | 0.0.6 | 间接依赖 | npm |
| unpipe | 1.0.0 | 间接依赖 | npm |
| ms | 2.0.0 | 间接依赖 | npm |
| @aws-sdk/credential-provider-imds | 3.226.0 | 间接依赖 | npm |
| concat-stream | 1.6.2 | 间接依赖 | npm |
| @aws-sdk/util-retry | 3.229.0 | 间接依赖 | npm |
| util | 0.12.5 | 间接依赖 | npm |
| bson | 4.7.1 | 间接依赖 | npm |
| get-intrinsic | 1.1.3 | 间接依赖 | npm |
| escape-html | 1.0.3 | 间接依赖 | npm |
| @aws-sdk/middleware-serde | 3.226.0 | 间接依赖 | npm |
| commander | 6.2.0 | 间接依赖 | npm |
| randomstring | 1.2.3 | 直接依赖 | npm |
| gopd | 1.0.1 | 间接依赖 | npm |
| smart-buffer | 4.2.0 | 间接依赖 | npm |
| minimist | 1.2.7 | 间接依赖 | npm |
| randombytes | 2.0.3 | 间接依赖 | npm |
| etag | 1.8.1 | 间接依赖 | npm |
| mkdirp | 0.5.6 | 间接依赖 | npm |
| core-util-is | 1.0.3 | 间接依赖 | npm |
| methods | 1.1.2 | 间接依赖 | npm |
| toidentifier | 1.0.1 | 间接依赖 | npm |
| querystring | 0.2.0 | 间接依赖 | npm |
| @aws-crypto/sha256-browser | 2.0.0 | 间接依赖 | npm |
| swagger-jsdoc | 6.2.7 | 直接依赖 | npm |
| lodash.mergewith | 4.6.2 | 间接依赖 | npm |
| uuid | 8.0.0 | 间接依赖 | npm |
| yallist | 4.0.0 | 间接依赖 | npm |
| @sideway/formula | 3.0.1 | 间接依赖 | npm |
| jsonwebtoken | 9.0.0 | 直接依赖 | npm |
| whatwg-url | 11.0.0 | 间接依赖 | npm |
| esutils | 2.0.3 | 间接依赖 | npm |
| brace-expansion | 1.1.11 | 间接依赖 | npm |
| @aws-sdk/middleware-stack | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/middleware-recursion-detection | 3.226.0 | 间接依赖 | npm |
| ipaddr.js | 1.9.1 | 间接依赖 | npm |
| destroy | 1.2.0 | 间接依赖 | npm |
| nodemailer | 6.8.0 | 直接依赖 | npm |
| lodash.isequal | 4.5.0 | 间接依赖 | npm |
| lodash | 4.17.21 | 间接依赖 | npm |
| buffer | 4.9.2 | 间接依赖 | npm |
| @aws-sdk/util-locate-window | 3.208.0 | 间接依赖 | npm |
| @aws-sdk/invalid-dependency | 3.226.0 | 间接依赖 | npm |
| proxy-addr | 2.0.7 | 间接依赖 | npm |
| balanced-match | 1.0.2 | 间接依赖 | npm |
| @sideway/pinpoint | 2.0.0 | 间接依赖 | npm |
| @aws-sdk/smithy-client | 3.234.0 | 间接依赖 | npm |
| @aws-sdk/token-providers | 3.245.0 | 间接依赖 | npm |
| events | 1.1.1 | 间接依赖 | npm |
| js-yaml | 4.1.0 | 间接依赖 | npm |
| @aws-sdk/config-resolver | 3.234.0 | 间接依赖 | npm |
| append-field | 1.0.0 | 间接依赖 | npm |
| parseurl | 1.3.3 | 间接依赖 | npm |
| @aws-sdk/credential-providers | 3.245.0 | 间接依赖 | npm |
| ieee754 | 1.1.13 | 间接依赖 | npm |
| mquery | 4.0.3 | 间接依赖 | npm |
| finalhandler | 1.2.0 | 间接依赖 | npm |
| @aws-sdk/util-endpoints | 3.245.0 | 间接依赖 | npm |
| async | 2.6.4 | 间接依赖 | npm |
| on-headers | 1.0.2 | 间接依赖 | npm |
| @aws-sdk/util-body-length-node | 3.208.0 | 间接依赖 | npm |
| @apidevtools/openapi-schemas | 2.1.0 | 间接依赖 | npm |
| helmet | 6.0.1 | 直接依赖 | npm |
| chalk | 4.1.2 | 间接依赖 | npm |
| yaml | 2.0.0-1 | 间接依赖 | npm |
| @hapi/hoek | 9.3.0 | 间接依赖 | npm |
| @aws-sdk/util-config-provider | 3.208.0 | 间接依赖 | npm |
| sprintf-js | 1.1.2 | 间接依赖 | npm |
| inherits | 2.0.4 | 间接依赖 | npm |
| @aws-sdk/util-user-agent-browser | 3.226.0 | 间接依赖 | npm |
| @aws-sdk/credential-provider-sso | 3.245.0 | 间接依赖 | npm |
| wrappy | 1.0.2 | 间接依赖 | npm |
| ip-address | 5.9.4 | 间接依赖 | npm |
| qs | 6.11.0 | 间接依赖 | npm |
| lru-cache | 6.0.0 | 间接依赖 | npm |
| swagger-parser | 10.0.3 | 间接依赖 | npm |
| is-generator-function | 1.0.10 | 间接依赖 | npm |
| bowser | 2.11.0 | 间接依赖 | npm |
| @aws-sdk/service-error-classification | 3.229.0 | 间接依赖 | npm |
| @apidevtools/swagger-parser | 10.0.3 | 间接依赖 | npm |
| compression | 1.7.4 | 直接依赖 | npm |
| xtend | 4.0.2 | 间接依赖 | npm |
| raw-body | 2.5.1 | 间接依赖 | npm |
| negotiator | 0.6.3 | 间接依赖 | npm |
| sax | 1.2.1 | 间接依赖 | npm |
| @aws-sdk/util-defaults-mode-node | 3.234.0 | 间接依赖 | npm |
| mpath | 0.9.0 | 间接依赖 | npm |
| pend | 1.2.0 | 间接依赖 | npm |
| punycode | 1.3.2 | 间接依赖 | npm |
| ee-first | 1.1.1 | 间接依赖 | npm |
| yauzl | 2.10.0 | 间接依赖 | npm |
| serve-static | 1.15.0 | 间接依赖 | npm |
| has-tostringtag | 1.0.0 | 间接依赖 | npm |
| bcryptjs | 2.4.3 | 直接依赖 | npm |
| has-symbols | 1.0.3 | 间接依赖 | npm |
| isarray | 1.0.0 | 间接依赖 | npm |