Lucene search

[email protected]NVD:CVE-2021-3602

HistoryMar 03, 2022 - 7:15 p.m.

CVE-2021-3602

2022-03-0319:15:08

CWE-212

CWE-200

[email protected]

web.nvd.nist.gov

buildah

information disclosure

container builds

environment variables

sensitive information

container registry credentials

cve-2021-3602

CVSS2

1.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

15.5%

JSON

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Affected configurations

Nvd

Node

buildah_projectbuildahRange<1.16.8

buildah_projectbuildahRange1.17.0–1.17.2

buildah_projectbuildahRange1.19.0–1.19.9

buildah_projectbuildahRange1.21.0–1.21.3

Node

redhatenterprise_linuxMatch8.0

redhatenterprise_linux_for_ibm_z_systemsMatch8.0

redhatenterprise_linux_for_power_little_endianMatch8.0

VendorProductVersionCPE
buildah_projectbuildah*cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
redhatenterprise_linux8.0cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhatenterprise_linux_for_ibm_z_systems8.0cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
redhatenterprise_linux_for_power_little_endian8.0cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
buildah_project	buildah	*	cpe:2.3:a:buildah_project:buildah::::::::
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
redhat	enterprise_linux_for_ibm_z_systems	8.0	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
redhat	enterprise_linux_for_power_little_endian	8.0	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*