Vulnerability Details : CVE-2021-3602
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
Vulnerability category: Information leak
Products affected by CVE-2021-3602
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
- cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
- cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
- cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3602
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 7 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3602
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST | |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2021-3602
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: secalert@redhat.com (Secondary)
-
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-3602
-
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0
chroot: fix environment value leakage to intermediate processes · containers/buildah@a468ce0 · GitHubPatch;Third Party Advisory
-
https://ubuntu.com/security/CVE-2021-3602
CVE-2021-3602 | UbuntuPatch;Third Party Advisory
-
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
chroot isolation: environment value leakage to intermediate processes · Advisory · containers/buildah · GitHubThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1969264
1969264 – (CVE-2021-3602) CVE-2021-3602 buildah: Host environment variables leaked in build container when using chroot isolationIssue Tracking;Patch;Third Party Advisory
Jump to