CVE-2021-3602

Name
CVE-2021-3602
Description
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1969264
Patch https://ubuntu.com/security/CVE-2021-3602
Third Party Advisory https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
Patch https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:* buildah >= None < 1.16.8
cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:* buildah >= 1.17.0 < 1.17.2
cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:* buildah >= 1.19.0 < 1.19.9
cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:* buildah >= 1.21.0 < 1.21.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status