CVE-2021-3602 — MEDIUM (5.5)

Q: How severe is CVE-2021-3602?

CVE-2021-3602 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-3602?

Check the references section above for vendor advisories and patch information. Affected products include: Buildah Project Buildah, Redhat Enterprise Linux, Redhat Enterprise Linux For Ibm Z Systems, Redhat Enterprise Linux For Power Little Endian.

Vulnerability Description

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Buildah Project	Buildah	< 1.16.8
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux For Ibm Z Systems	8.0
Redhat	Enterprise Linux For Power Little Endian	8.0

Related Weaknesses (CWE)

CWE-200 CWE-212

References

https://bugzilla.redhat.com/show_bug.cgi?id=1969264Issue TrackingPatchThird Party Advisory
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef6040PatchThird Party Advisory
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjjThird Party Advisory
https://ubuntu.com/security/CVE-2021-3602PatchThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1969264Issue TrackingPatchThird Party Advisory
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef6040PatchThird Party Advisory
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjjThird Party Advisory
https://ubuntu.com/security/CVE-2021-3602PatchThird Party Advisory

FAQ

What is CVE-2021-3602?

CVE-2021-3602 is a vulnerability with a CVSS score of 5.5 (MEDIUM). An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variab...

How severe is CVE-2021-3602?

CVE-2021-3602 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3602?

Check the references section above for vendor advisories and patch information. Affected products include: Buildah Project Buildah, Redhat Enterprise Linux, Redhat Enterprise Linux For Ibm Z Systems, Redhat Enterprise Linux For Power Little Endian.