QwikSec

Security Database

CVE

CWE

Training

CVE-2021-3602

Published: Mar 3, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Vendor	Product	Versions
n/a	buildah	affected `Affects v1.21.2, v1.20.0, v1.19.8, v1.18.0, v1.17.1, v1.16.7, Fixed in v1.21.3, v1.19.9, v1.17.2, v1.16.8, v1.22.0 and above.`

Weaknesses (CWE)

References

https://bugzilla.redhat.com/show_bug.cgi?id=1969264

x_refsource_MISC

https://ubuntu.com/security/CVE-2021-3602

x_refsource_MISC

https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj

x_refsource_MISC

https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.