Vulnerability Name:

CVE-2021-3602 (CCN-222287)

Assigned:2021-07-15
Published:2021-07-15
Updated:2022-10-24
Summary:An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
4.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.6 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
4.9 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:1.9 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
3.8 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-212
CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-3602

Source: CCN
Type: Red Hat Bugzilla - Bug 1969264
(CVE-2021-3602) - CVE-2021-3602 buildah: Host environment variables leaked in build container when using chroot isolation

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1969264

Source: XF
Type: UNKNOWN
buildah-cve20213602-info-disc(222287)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0

Source: CCN
Type: buildah GIT Repository
chroot isolation: environment value leakage to intermediate processes

Source: MISC
Type: Third Party Advisory
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj

Source: MISC
Type: Patch, Third Party Advisory
https://ubuntu.com/security/CVE-2021-3602

Vulnerable Configuration:Configuration 1:
  • cpe:/a:buildah_project:buildah:*:*:*:*:*:*:*:* (Version >= 1.21.0 and < 1.21.3)
  • OR cpe:/a:buildah_project:buildah:*:*:*:*:*:*:*:* (Version >= 1.19.0 and < 1.19.9)
  • OR cpe:/a:buildah_project:buildah:*:*:*:*:*:*:*:* (Version >= 1.17.0 and < 1.17.2)
  • OR cpe:/a:buildah_project:buildah:*:*:*:*:*:*:*:* (Version < 1.16.8)

    • Configuration 2:
  • cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7584
    P
    		libcontainers-common-20230214-150500.2.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:119728
    P
    		Security update for libcontainers-common (Moderate) (in QA)
    2022-08-31
    oval:org.opensuse.security:def:118782
    P
    		Security update for libcontainers-common (Moderate) (in QA)
    2022-08-31
    oval:org.opensuse.security:def:119739
    P
    		Security update for libcontainers-common (Moderate) (in QA)
    2022-08-31
    oval:org.opensuse.security:def:118972
    P
    		Security update for libcontainers-common (Moderate) (in QA)
    2022-08-31
    oval:org.opensuse.security:def:119826
    P
    		Security update for libcontainers-common (Moderate) (in QA)
    2022-08-31
    oval:org.opensuse.security:def:119277
    P
    		Security update for libcontainers-common (Moderate) (in QA)
    2022-08-31
    oval:org.opensuse.security:def:3000
    P
    		MozillaFirefox-68.1.0-109.92.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94630
    P
    		libcontainers-common-20210626-150400.1.3 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:98958
    P
    		Security update for conmon, libcontainers-common, libseccomp, podman (Moderate)
    2022-03-04
    oval:org.opensuse.security:def:994
    P
    		Security update for conmon, libcontainers-common, libseccomp, podman (Moderate)
    2022-02-25
    oval:org.opensuse.security:def:101615
    P
    		Security update for conmon, libcontainers-common, libseccomp, podman (Moderate)
    2022-02-25
    oval:org.opensuse.security:def:101684
    P
    		Security update for conmon, libcontainers-common, libseccomp, podman (Moderate)
    2022-02-25
    oval:org.opensuse.security:def:42308
    P
    		Security update for conmon, libcontainers-common, libseccomp, podman (Moderate)
    2022-02-25
    oval:org.opensuse.security:def:923
    P
    		Security update for conmon, libcontainers-common, libseccomp, podman (Moderate)
    2022-02-25
    oval:com.redhat.rhsa:def:20214154
    P
    		RHSA-2021:4154: container-tools:rhel8 security, bug fix, and enhancement update (Moderate)
    2021-11-09
    oval:com.redhat.rhsa:def:20214221
    P
    		RHSA-2021:4221: container-tools:2.0 security update (Moderate)
    2021-11-09
    oval:com.redhat.rhsa:def:20214222
    P
    		RHSA-2021:4222: container-tools:3.0 security and bug fix update (Moderate)
    2021-11-09
    BACK
    buildah_project buildah *
    buildah_project buildah *
    buildah_project buildah *
    buildah_project buildah *
    redhat enterprise linux 8.0
    redhat enterprise linux for power little endian 8.0
    redhat enterprise linux for ibm z systems 8.0