quadrigacx-0.0.7.tgz: 2 vulnerabilities (highest severity is: 9.3)

[mend-for-github-com[bot]]

Vulnerable Library - quadrigacx-0.0.7.tgz

Path to dependency file: /extensions/exchanges/quadriga/package.json

Path to vulnerable library: /package.json,/extensions/exchanges/quadriga/node_modules/tough-cookie/package.json

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (quadrigacx version)	Remediation Possible**	Reachability
CVE-2023-26136	Critical	9.3	Not Defined	0.1%	tough-cookie-2.5.0.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	5.3	Not Defined	0.1%	request-2.88.2.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26136

### Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/extensions/exchanges/quadriga/node_modules/tough-cookie/package.json

Dependency Hierarchy: - quadrigacx-0.0.7.tgz (Root Library) - request-2.88.2.tgz - :x: **tough-cookie-2.5.0.tgz** (Vulnerable Library)

Found in base branch: unstable

### Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (9.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

CVE-2023-28155

### Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/extensions/exchanges/quadriga/node_modules/request/package.json

Dependency Hierarchy: - quadrigacx-0.0.7.tgz (Root Library) - :x: **request-2.88.2.tgz** (Vulnerable Library)

Found in base branch: unstable

### Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0