CVE-2021-3602

MEDIUM

Buildah < 1.16.8 - Information Disclosure

Title source: rule

Description

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

References (4)

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1969264

[Patch, Third Party Advisory] https://ubuntu.com/security/CVE-2021-3602

[Third Party Advisory] https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj

[Patch, Third Party Advisory] https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0

Scores

CVSS v3 5.5

EPSS 0.0012

EPSS Percentile 30.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-212 CWE-200

Status published

Products (5)

buildah_project/buildah < 1.16.8

containers/buildah 0 - 1.16.8Go

redhat/enterprise_linux 8.0

redhat/enterprise_linux_for_ibm_z_systems 8.0

redhat/enterprise_linux_for_power_little_endian 8.0

Published Mar 03, 2022

Tracked Since Feb 18, 2026