CVE-2021-3602
MEDIUMBuildah < 1.16.8 - Information Disclosure via Chroot Isolation
Title source: llmDescription
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
References (4)
Core 4
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1969264
Patch, Third Party Advisory x_refsource_misc
https://ubuntu.com/security/CVE-2021-3602
Third Party Advisory x_refsource_misc
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
Patch, Third Party Advisory x_refsource_misc
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0
Scores
CVSS v3
5.5
EPSS
0.0032
EPSS Percentile
23.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-212
CWE-200
Status
published
Products (5)
buildah_project/buildah
< 1.16.8
containers/buildah
0 - 1.16.8Go
redhat/enterprise_linux
8.0
redhat/enterprise_linux_for_ibm_z_systems
8.0
redhat/enterprise_linux_for_power_little_endian
8.0
Published
Mar 03, 2022
Tracked Since
Feb 18, 2026