A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays. External Reference: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212
Created nodejs-set-value tracking bugs for this issue: Affects: fedora-33 [bug 2004945]
Downgrading the impact to Moderate, as this not qualify for Important severity Red Hat rating.
Upstream PR and fix: https://github.com/jonschlinkert/set-value/pull/33 https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:5038 https://access.redhat.com/errata/RHSA-2021:5038
This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.11 on RHEL8 Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156