CVE-2021-3602

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

CVSS v3.0 5.5 MEDIUM
CVSS v2.0 1.9 LOW

5.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

1.9^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 3.4 / Impact : 2.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1969264	Issue Tracking Patch Third Party Advisory
https://ubuntu.com/security/CVE-2021-3602	Patch Third Party Advisory
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj	Third Party Advisory
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0	Patch Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:buildah_project:buildah::::::::
	cpe:2.3:a:buildah_project:buildah::::::::
	cpe:2.3:a:buildah_project:buildah::::::::
	cpe:2.3:a:buildah_project:buildah::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*

Information

Published : 2022-03-03 11:15

Updated : 2022-10-24 07:22

NVD link : CVE-2021-3602

Mitre link : CVE-2021-3602

JSON object : View

CWE

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

Advertisement

Products Affected

buildah_project

buildah

redhat

enterprise_linux_for_ibm_z_systems
enterprise_linux_for_power_little_endian
enterprise_linux

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://ubuntu.com/security/CVE-2021-3602", "name": "https://ubuntu.com/security/CVE-2021-3602", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj", "name": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0", "name": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-212"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-3602", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 1.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "LOW", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}}, "publishedDate": "2022-03-03T19:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.21.3", "versionStartIncluding": "1.21.0"}, {"cpe23Uri": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.19.9", "versionStartIncluding": "1.19.0"}, {"cpe23Uri": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.17.2", "versionStartIncluding": "1.17.0"}, {"cpe23Uri": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.16.8"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-10-24T14:22Z"}