CVE-2021-3602 — Sensitive Information Exposure in Containers Buildah
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 68.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 3
Latest updateJul 15
Description
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6
Affected Packages3 packages
▶CVEListV5buildah_project/buildahAffects v1.21.2, v1.20.0, v1.19.8, v1.18.0, v1.17.1, v1.16.7, Fixed in v1.21.3, v1.19.9, v1.17.2, v1.16.8, v1.22.0 and above.
Also affects: Enterprise Linux 8.0
Patches
🔴Vulnerability Details
5OSV▶
CVE-2021-3602: An information disclosure flaw was found in Buildah, when building containers using chroot isolation↗2022-03-03
CVEList▶
CVE-2021-3602: An information disclosure flaw was found in Buildah, when building containers using chroot isolation↗2022-03-03
OSV▶
Buildah processes using chroot isolation may leak environment values to intermediate processes↗2021-07-19
GHSA▶
Buildah processes using chroot isolation may leak environment values to intermediate processes↗2021-07-19
📋Vendor Advisories
3Microsoft▶
An information disclosure flaw was found in Buildah when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variabl↗2022-03-08
Red Hat▶
buildah: Host environment variables leaked in build container when using chroot isolation↗2021-07-15
Debian▶
CVE-2021-3602: golang-github-containers-buildah - An information disclosure flaw was found in Buildah, when building containers us...↗2021