PT-2021-21101 · Buildah+7 · Buildah+7

Nalind

·

Published

2020-12-08

·

Updated

2024-06-15

·

CVE-2021-3602

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions: Buildah versions prior to 1.21.3
Description: An information disclosure flaw was found in Buildah when building containers using chroot isolation. Running processes in container builds, such as Dockerfile RUN commands, can access environment variables from parent and grandparent processes. In a CI/CD environment, these environment variables may include sensitive information, like container registry credentials, that was shared with the container to be used only by Buildah itself.
Recommendations: For versions prior to 1.21.3, upgrade packages or images to include version 1.21.3 or later. As a temporary workaround, consider invoking buildah in a container under env -i to have it started with a reinitialized environment, which should prevent the leakage.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-212

Related Identifiers

ALSA-2021:4154
ALSA-2021:4221
ALSA-2021:4222
ALT-PU-2020-3461
ALT-PU-2021-1817
ALT-PU-2021-2715
ALT-PU-2021-3548
ALT-PU-2022-1246
ALT-PU-2022-1252
AZL-39837
AZL-44154
CESA-2021_4154
CESA-2021_4221
CESA-2021_4222
CVE-2021-3602
GHSA-7638-R9R3-RMJJ
GO-2022-0345
MGASA-2023-0213
OPENSUSE-SU-2022:23018-1
OPENSUSE-SU-2022_23018-1
OPENSUSE-SU-2024:11757-1
RHSA-2021:4154
RHSA-2021:4221
RHSA-2021:4222
RHSA-2021_4154
RHSA-2021_4221
RHSA-2021_4222
RLSA-2021:4154
RLSA-2021:4221
RLSA-2021:4222
SUSE-SU-2022:23018-1
SUSE-SU-2022:3312-1

Affected Products

Alt Linux
Almalinux
Buildah
Centos
Debian
Red Hat
Rocky Linux
Suse