Lucene search

RedhatCVE-2021-3602

HistoryMar 03, 2022 - 7:15 p.m.

CVE-2021-3602

2022-03-0319:15:08

CWE-200

CWE-212

redhat

web.nvd.nist.gov

153

cve-2021-3602

information disclosure

buildah

container builds

chroot isolation

security vulnerability

nvd

CVSS2

1.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

Percentile

15.5%

JSON

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Affected configurations

Nvd

Vulners

Node

buildah_projectbuildahRange<1.16.8

buildah_projectbuildahRange1.17.0–1.17.2

buildah_projectbuildahRange1.19.0–1.19.9

buildah_projectbuildahRange1.21.0–1.21.3

Node

redhatenterprise_linuxMatch8.0

redhatenterprise_linux_for_ibm_z_systemsMatch8.0

redhatenterprise_linux_for_power_little_endianMatch8.0

VendorProductVersionCPE
buildah_projectbuildah*cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
redhatenterprise_linux8.0cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhatenterprise_linux_for_ibm_z_systems8.0cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
redhatenterprise_linux_for_power_little_endian8.0cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
buildah_project	buildah	*	cpe:2.3:a:buildah_project:buildah::::::::
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
redhat	enterprise_linux_for_ibm_z_systems	8.0	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
redhat	enterprise_linux_for_power_little_endian	8.0	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*

CNA Affected

[
  {
    "product": "buildah",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Affects v1.21.2, v1.20.0, v1.19.8, v1.18.0, v1.17.1, v1.16.7, Fixed in v1.21.3, v1.19.9, v1.17.2, v1.16.8, v1.22.0 and above."
      }
    ]
  }
]