URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path. Reference: https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839 https://github.com/medialize/URI.js/releases/tag/v1.19.6
Statement: Red Hat Quay includes the urijs dependency in it's package.lock file but it's not used anywhere in the code. Red Hat Advanced Cluster Management for Kubernetes uses Quay as a service, but not code from Quay that exists in RHACM.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27516