Vulnerability CVE-2021-3602


Published: 2022-03-03

Description:
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
1.9/10
2.9/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Redhat -> Enterprise linux 
Redhat -> Enterprise linux for ibm z systems 
Redhat -> Enterprise linux for power little endian 
Buildah project -> Buildah 

 References:
https://bugzilla.redhat.com/show_bug.cgi?id=1969264
https://ubuntu.com/security/CVE-2021-3602
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0

Copyright 2022, cxsecurity.com

 

Back to Top