In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code.
Red Hat Advanced Cluster Management for Kubernetes 2.7.7 already contains the fixes for this vulnerability, released at https://access.redhat.com/errata/RHSA-2023:4654
This issue has been addressed in the following products: multicluster engine for Kubernetes 2.3 for RHEL 8 Via RHSA-2023:4862 https://access.redhat.com/errata/RHSA-2023:4862
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8 Via RHSA-2023:4875 https://access.redhat.com/errata/RHSA-2023:4875
This issue has been addressed in the following products: multicluster engine for Kubernetes 2.1 for RHEL 8 Via RHSA-2023:4972 https://access.redhat.com/errata/RHSA-2023:4972
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2023:4980 https://access.redhat.com/errata/RHSA-2023:4980