CVE-2021-3602
EUVD-2021-144603.03.2022, 19:15
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| buildah_project | buildah | 𝑥 < 1.16.8 |
| buildah_project | buildah | 1.17.0 ≤ 𝑥 < 1.17.2 |
| buildah_project | buildah | 1.19.0 ≤ 𝑥 < 1.19.9 |
| buildah_project | buildah | 1.21.0 ≤ 𝑥 < 1.21.3 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux_for_ibm_z_systems | 8.0 |
| redhat | enterprise_linux_for_power_little_endian | 8.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-212 - Improper Removal of Sensitive Information Before Storage or TransferThe product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
References