CVE-2021-3602

{"id": "CVE-2021-3602", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 1.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2022-03-03T19:15:08.107", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://ubuntu.com/security/CVE-2021-3602", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://ubuntu.com/security/CVE-2021-3602", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-212"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."}, {"lang": "es", "value": "Se ha encontrado un fallo de divulgaci\u00f3n de informaci\u00f3n en Buildah, cuando son construidos contenedores usando el aislamiento chroot. Los procesos que son ejecutados en las construcciones de contenedores (por ejemplo, los comandos RUN de Dockerfile) pueden acceder a las variables de entorno de los procesos padres y abuelos. Cuando es ejecutado en un contenedor en un entorno CI/CD, las variables de entorno pueden incluir informaci\u00f3n confidencial que fue compartida con el contenedor para ser usada s\u00f3lo por el propio Buildah (por ejemplo, las credenciales del registro del contenedor)"}], "lastModified": "2024-11-21T06:21:57.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CE147BD-61D6-43D8-86A8-3C3CB16D200F", "versionEndExcluding": "1.16.8"}, {"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6A83393-DA38-4D39-93E0-D238F6955564", "versionEndExcluding": "1.17.2", "versionStartIncluding": "1.17.0"}, {"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06B356AF-631F-4568-B0A1-D43673CD212D", "versionEndExcluding": "1.19.9", "versionStartIncluding": "1.19.0"}, {"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69D2AE6F-D695-4079-82CF-0C9E532484B5", "versionEndExcluding": "1.21.3", "versionStartIncluding": "1.21.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87C21FE1-EA5C-498F-9C6C-D05F91A88217"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47811209-5CE5-4375-8391-B0A7F6A0E420"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}