CVE-2021-3602

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*

History

21 Nov 2024, 06:21

Type Values Removed Values Added
References () https://bugzilla.redhat.com/show_bug.cgi?id=1969264 - Issue Tracking, Patch, Third Party Advisory () https://bugzilla.redhat.com/show_bug.cgi?id=1969264 - Issue Tracking, Patch, Third Party Advisory
References () https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0 - Patch, Third Party Advisory () https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0 - Patch, Third Party Advisory
References () https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj - Third Party Advisory () https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj - Third Party Advisory
References () https://ubuntu.com/security/CVE-2021-3602 - Patch, Third Party Advisory () https://ubuntu.com/security/CVE-2021-3602 - Patch, Third Party Advisory

Information

Published : 2022-03-03 19:15

Updated : 2024-11-21 06:21


NVD link : CVE-2021-3602

Mitre link : CVE-2021-3602

CVE.ORG link : CVE-2021-3602


JSON object : View

Products Affected

redhat

  • enterprise_linux_for_ibm_z_systems
  • enterprise_linux
  • enterprise_linux_for_power_little_endian

buildah_project

  • buildah
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer