Information disclosure

2022-03-0319:15:00

PRIOn knowledge base

www.prio-n.com

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5.2 Medium

AI Score

Confidence

High

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

12.7%

JSON

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

CPENameOperatorVersion
buildahge1.21.0
buildahlt1.21.3
buildahge1.19.0
buildahlt1.19.9
buildahge1.17.0
buildahlt1.17.2
buildahlt1.16.8
enterprise_linuxeq8.0
enterprise_linux_for_ibm_z_systemseq8.0
enterprise_linux_for_power_little_endianeq8.0

Name	Operator	Version
buildah	ge	1.21.0
buildah	lt	1.21.3
buildah	ge	1.19.0
buildah	lt	1.19.9
buildah	ge	1.17.0
buildah	lt	1.17.2
buildah	lt	1.16.8
enterprise_linux	eq	8.0
enterprise_linux_for_ibm_z_systems	eq	8.0
enterprise_linux_for_power_little_endian	eq	8.0