// For flags

CVE-2021-3602

buildah: Host environment variables leaked in build container when using chroot isolation

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Se ha encontrado un fallo de divulgación de información en Buildah, cuando son construidos contenedores usando el aislamiento chroot. Los procesos que son ejecutados en las construcciones de contenedores (por ejemplo, los comandos RUN de Dockerfile) pueden acceder a las variables de entorno de los procesos padres y abuelos. Cuando es ejecutado en un contenedor en un entorno CI/CD, las variables de entorno pueden incluir información confidencial que fue compartida con el contenedor para ser usada sólo por el propio Buildah (por ejemplo, las credenciales del registro del contenedor)

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-06-15 CVE Reserved
  • 2021-11-10 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Buildah Project
Search vendor "Buildah Project"
 Buildah
Search vendor "Buildah Project" for product "Buildah"
 < 1.16.8
Search vendor "Buildah Project" for product "Buildah" and version " < 1.16.8"
-
Affected
Buildah Project
Search vendor "Buildah Project"
 Buildah
Search vendor "Buildah Project" for product "Buildah"
 >= 1.17.0 < 1.17.2
Search vendor "Buildah Project" for product "Buildah" and version " >= 1.17.0 < 1.17.2"
-
Affected
Buildah Project
Search vendor "Buildah Project"
 Buildah
Search vendor "Buildah Project" for product "Buildah"
 >= 1.19.0 < 1.19.9
Search vendor "Buildah Project" for product "Buildah" and version " >= 1.19.0 < 1.19.9"
-
Affected
Buildah Project
Search vendor "Buildah Project"
 Buildah
Search vendor "Buildah Project" for product "Buildah"
 >= 1.21.0 < 1.21.3
Search vendor "Buildah Project" for product "Buildah" and version " >= 1.21.0 < 1.21.3"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Ibm Z Systems
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"
 8.0
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux For Power Little Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"
 8.0
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "8.0"
-
Affected