Lucene search

K
cveRedhatCVE-2021-3602
HistoryMar 03, 2022 - 7:15 p.m.

CVE-2021-3602

2022-03-0319:15:08
CWE-200
CWE-212
redhat
web.nvd.nist.gov
153
2
cve-2021-3602
information disclosure
buildah
container builds
chroot isolation
security vulnerability
nvd

CVSS2

1.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0

Percentile

15.5%

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Affected configurations

Nvd
Vulners
Node
buildah_projectbuildahRange<1.16.8
OR
buildah_projectbuildahRange1.17.01.17.2
OR
buildah_projectbuildahRange1.19.01.19.9
OR
buildah_projectbuildahRange1.21.01.21.3
Node
redhatenterprise_linuxMatch8.0
OR
redhatenterprise_linux_for_ibm_z_systemsMatch8.0
OR
redhatenterprise_linux_for_power_little_endianMatch8.0
VendorProductVersionCPE
buildah_projectbuildah*cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
redhatenterprise_linux8.0cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhatenterprise_linux_for_ibm_z_systems8.0cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
redhatenterprise_linux_for_power_little_endian8.0cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "buildah",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Affects v1.21.2, v1.20.0, v1.19.8, v1.18.0, v1.17.1, v1.16.7, Fixed in v1.21.3, v1.19.9, v1.17.2, v1.16.8, v1.22.0 and above."
      }
    ]
  }
]

Social References

More

CVSS2

1.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0

Percentile

15.5%