CVE-2021-3602

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

CVSS v3 5.5 MEDIUM
CVSS v2.0 1.9 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

1.9^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 3.4 / Impact : 2.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1969264	Issue Tracking Patch Third Party Advisory
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0	Patch Third Party Advisory
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj	Third Party Advisory
https://ubuntu.com/security/CVE-2021-3602	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:buildah_project:buildah::::::::
	cpe:2.3:a:buildah_project:buildah::::::::
	cpe:2.3:a:buildah_project:buildah::::::::
	cpe:2.3:a:buildah_project:buildah::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*

History

No history.

Information

Published : 2022-03-03 19:15

Updated : 2024-02-28 19:09

NVD link : CVE-2021-3602

Mitre link : CVE-2021-3602

CVE.ORG link : CVE-2021-3602

JSON object : View

Products Affected

redhat

enterprise_linux
enterprise_linux_for_ibm_z_systems
enterprise_linux_for_power_little_endian

buildah_project

buildah

CWE

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2021-3602", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 1.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2022-03-03T19:15:08.107", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://ubuntu.com/security/CVE-2021-3602", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-212"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."}, {"lang": "es", "value": "Se ha encontrado un fallo de divulgaci\u00f3n de informaci\u00f3n en Buildah, cuando son construidos contenedores usando el aislamiento chroot. Los procesos que son ejecutados en las construcciones de contenedores (por ejemplo, los comandos RUN de Dockerfile) pueden acceder a las variables de entorno de los procesos padres y abuelos. Cuando es ejecutado en un contenedor en un entorno CI/CD, las variables de entorno pueden incluir informaci\u00f3n confidencial que fue compartida con el contenedor para ser usada s\u00f3lo por el propio Buildah (por ejemplo, las credenciales del registro del contenedor)"}], "lastModified": "2022-10-24T14:22:45.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CE147BD-61D6-43D8-86A8-3C3CB16D200F", "versionEndExcluding": "1.16.8"}, {"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6A83393-DA38-4D39-93E0-D238F6955564", "versionEndExcluding": "1.17.2", "versionStartIncluding": "1.17.0"}, {"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06B356AF-631F-4568-B0A1-D43673CD212D", "versionEndExcluding": "1.19.9", "versionStartIncluding": "1.19.0"}, {"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69D2AE6F-D695-4079-82CF-0C9E532484B5", "versionEndExcluding": "1.21.3", "versionStartIncluding": "1.21.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87C21FE1-EA5C-498F-9C6C-D05F91A88217"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47811209-5CE5-4375-8391-B0A7F6A0E420"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}