CVE-2021-3602

Description

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

CVSS Metrics

• v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• v2.0•LOW•Score: 1.9AV:L/AC:M/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.17%• Percentile: 37%

Techniques & Countermeasures

• CWE-212•Improper Removal of Sensitive Information Before Storage or Transfer

  The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

• CWE-200•Exposure of Sensitive Information to an Unauthorized Actor

  The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

• buildah_project•buildah

  < 1.16.8 | ≥ 1.17.0, < 1.17.2 | ≥ 1.19.0, < 1.19.9 | ≥ 1.21.0, < 1.21.3

• github.com/containers•buildah

  < 1.22.0 | < 1.16.8 | ≥ 1.17.0, < 1.17.2 | ≥ 1.18.0, < 1.19.9 | ≥ 1.20.0, < 1.21.3

• redhat•enterprise_linux

  8.0

• redhat•enterprise_linux_for_ibm_z_systems

  8.0

• redhat•enterprise_linux_for_power_little_endian

  8.0

References (7)

• https://bugzilla.redhat.com/show_bug.cgi?id=1969264
• https://ubuntu.com/security/CVE-2021-3602
• https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
• https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0
• https://nvd.nist.gov/vuln/detail/CVE-2021-3602
• https://github.com/containers/buildah
• https://pkg.go.dev/vuln/GO-2022-0345