lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., __proto__) can be copied during a merge or clone operation.
External References: https://github.com/advisories/GHSA-45q2-34rf-mr94 https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications
Statement: The affected version of mquery is a dependency of mongoose library. The exploitation of this vulnerability requires authenticated access, consequently the CVSSv3 score for RHACM is lower then the score of the flaw.
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 7 Via RHSA-2021:1369 https://access.redhat.com/errata/RHSA-2021:1369
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35149