CVE-2021-3602

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
VendorProductVersion
buildah_projectbuildah
𝑥
< 1.16.8
buildah_projectbuildah
1.17.0 ≤
𝑥
< 1.17.2
buildah_projectbuildah
1.19.0 ≤
𝑥
< 1.19.9
buildah_projectbuildah
1.21.0 ≤
𝑥
< 1.21.3
redhatenterprise_linux
8.0
redhatenterprise_linux_for_ibm_z_systems
8.0
redhatenterprise_linux_for_power_little_endian
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-containers-buildah
bullseye
no-dsa
bookworm
1.28.2+ds1-3
fixed
sid
1.37.5+ds1-1
fixed
trixie
1.37.5+ds1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-containers-buildah
noble
needed
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
dne
bionic
dne
xenial
ignored
trusty
dne
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1969264
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
https://ubuntu.com/security/CVE-2021-3602
https://bugzilla.redhat.com/show_bug.cgi?id=1969264
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
https://ubuntu.com/security/CVE-2021-3602