A vulnerability was found in NOdejs set-value, where set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
Created nodejs-set-value tracking bugs for this issue:
Affects: fedora-all [bug 1795480]
Red Hat Quay 3.2 uses nodejs-set-value 2.0.1 which has a fix for this vulnerability.
While OpenShift Container Platform (OCP) contains the affected nodejs-set-value code, it's added as a dependency of Kibana 5. Similar issue about prototype pollution  have been fixed, but no known attack vector was found, so we're rating this issue as Low for OCP.
In Red Hat Software Collections and Red Hat Enterprise Linux 8, nodejs-set-value is bundled into nodejs-nodemon, and is not meant to be accessed outside of that package. Within nodemon, this flaw is rated with a Low severity.
 CVE-2019-10744 https://www.elastic.co/community/security