gsd-2021-3602
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-3602",
"description": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).",
"id": "GSD-2021-3602",
"references": [
"https://www.suse.com/security/cve/CVE-2021-3602.html",
"https://access.redhat.com/errata/RHSA-2021:4222",
"https://access.redhat.com/errata/RHSA-2021:4221",
"https://access.redhat.com/errata/RHSA-2021:4154",
"https://linux.oracle.com/cve/CVE-2021-3602.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-3602"
],
"details": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).",
"id": "GSD-2021-3602",
"modified": "2023-12-13T01:23:34.167752Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-3602",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "buildah",
"version": {
"version_data": [
{
"version_value": "Affects v1.21.2, v1.20.0, v1.19.8, v1.18.0, v1.17.1, v1.16.7, Fixed in v1.21.3, v1.19.9, v1.17.2, v1.16.8, v1.22.0 and above."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264"
},
{
"name": "https://ubuntu.com/security/CVE-2021-3602",
"refsource": "MISC",
"url": "https://ubuntu.com/security/CVE-2021-3602"
},
{
"name": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj",
"refsource": "MISC",
"url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"
},
{
"name": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0",
"refsource": "MISC",
"url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.16.7||\u003e=1.17.0 \u003c=1.17.1||\u003e=1.18.0 \u003c=1.19.8||\u003e=1.20.0 \u003c=1.21.2",
"affected_versions": "All versions up to 1.16.7, all versions starting from 1.17.0 up to 1.17.1, all versions starting from 1.18.0 up to 1.19.8, all versions starting from 1.20.0 up to 1.21.2",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2021-07-19",
"description": "### Impact\nWhen running processes using \"chroot\" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running `buildah` in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original `buildah` process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during `buildah run`. The commands that `buildah` is instructed to run can read that information if they choose to.\n\n### Patches\nUsers should upgrade packages, or images which contain packages, to include version 1.21.3 or later.\n\n### Workarounds\nAs a workaround, invoking `buildah` in a container under `env -i` to have it started with a reinitialized environment should prevent the leakage.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [buildah](https://github.com/containers/buildah/issues)\n* Email us at [the buildah general mailing list](mailto:buildah@lists.buildah.io), or [the podman security mailing list](mailto:security@lists.podman.io) if it\u0027s sensitive.",
"fixed_versions": [
"1.16.8",
"1.17.2",
"1.19.9",
"1.21.3"
],
"identifier": "GMS-2021-89",
"identifiers": [
"GHSA-7638-r9r3-rmjj",
"GMS-2021-89",
"CVE-2021-3602"
],
"not_impacted": "All versions after 1.16.7 before 1.17.0, all versions after 1.17.1 before 1.18.0, all versions after 1.19.8 before 1.20.0, all versions after 1.21.2",
"package_slug": "go/github.com/containers/buildah",
"pubdate": "2021-07-19",
"solution": "Upgrade to versions 1.16.8, 1.17.2, 1.19.9, 1.21.3 or above.",
"title": "chroot isolation: environment value leakage to intermediate processes",
"urls": [
"https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj",
"https://github.com/advisories/GHSA-7638-r9r3-rmjj"
],
"uuid": "5c690d13-bdf4-4325-8144-50b3f34ef63b"
},
{
"affected_range": "\u003c=v1.16.7 || \u003e=v1.17.0 \u003c=v1.17.1 || \u003e=v1.18.0 \u003c=v1.19.8 || \u003e=v1.20.0 \u003c=v1.21.2",
"affected_versions": "All versions up to 1.16.7, all versions starting from 1.17.0 up to 1.17.1, all versions starting from 1.18.0 up to 1.19.8, all versions starting from 1.20.0 up to 1.21.2",
"cvss_v2": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-212",
"CWE-937"
],
"date": "2023-02-07",
"description": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).",
"fixed_versions": [
"v1.16.8",
"v1.17.2",
"v1.19.9",
"v1.21.3"
],
"identifier": "CVE-2021-3602",
"identifiers": [
"GHSA-7638-r9r3-rmjj",
"CVE-2021-3602"
],
"not_impacted": "All versions after 1.16.7 before 1.17.0, all versions after 1.17.1 before 1.18.0, all versions after 1.19.8 before 1.20.0, all versions after 1.21.2",
"package_slug": "go/github.com/containers/buildah/chroot",
"pubdate": "2021-07-19",
"solution": "Upgrade to versions 1.16.8, 1.17.2, 1.19.9, 1.21.3 or above.",
"title": "Improper Removal of Sensitive Information Before Storage or Transfer",
"urls": [
"https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj",
"https://nvd.nist.gov/vuln/detail/CVE-2021-3602",
"https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0",
"https://bugzilla.redhat.com/show_bug.cgi?id=1969264",
"https://ubuntu.com/security/CVE-2021-3602",
"https://pkg.go.dev/vuln/GO-2022-0345",
"https://github.com/advisories/GHSA-7638-r9r3-rmjj"
],
"uuid": "6b7d036f-c564-451f-885e-be898c76fbbe",
"versions": [
{
"commit": {
"sha": "8891d05dbaffc0b6013a48a68177b4ccec281f8c",
"tags": [
"v1.17.0"
],
"timestamp": "20201029223313"
},
"number": "v1.17.0"
},
{
"commit": {
"sha": "d3a01d0041789ab5967acd04f5c4501a0ba78f64",
"tags": [
"v1.18.0"
],
"timestamp": "20201116142522"
},
"number": "v1.18.0"
},
{
"commit": {
"sha": "d43312c273bd496449622cd81c58a953b3bb3ca0",
"tags": [
"v1.17.1"
],
"timestamp": "20201117111805"
},
"number": "v1.17.1"
},
{
"commit": {
"sha": "56ed75b4b8266affb45f5ffa971f5c83f1b96eaa",
"tags": [
"v1.16.7"
],
"timestamp": "20201130202401"
},
"number": "v1.16.7"
},
{
"commit": {
"sha": "d1c9523dcfb96a286c78da317fb3844ddd5b6476",
"tags": [
"v1.19.8"
],
"timestamp": "20210308150108"
},
"number": "v1.19.8"
},
{
"commit": {
"sha": "293e02ac068513a08c38dbe434dea73560f90c25",
"tags": [
"v1.20.0"
],
"timestamp": "20210325172806"
},
"number": "v1.20.0"
},
{
"commit": {
"sha": "af2a1d4d762a627e01a87f4aab4dd0c1876df6b6",
"tags": [
"v1.21.2"
],
"timestamp": "20210629140807"
},
"number": "v1.21.2"
},
{
"commit": {
"sha": "7f9540d2ab9037b7e175a4d1b36e85fc6541aeb5",
"tags": [
"v1.21.3"
],
"timestamp": "20210715140926"
},
"number": "v1.21.3"
},
{
"commit": {
"sha": "7219dd09b6f8077f647ec8add765224dc247b2f6",
"tags": [
"v1.17.2"
],
"timestamp": "20210715140926"
},
"number": "v1.17.2"
},
{
"commit": {
"sha": "a4caa7bd7436cb4ff607abc4cb27eb076c9442f5",
"tags": [
"v1.16.8"
],
"timestamp": "20210715140926"
},
"number": "v1.16.8"
},
{
"commit": {
"sha": "c1d6200be31286ea3cd4752ed1464b0f85ea388a",
"tags": [
"v1.19.9"
],
"timestamp": "20210715140926"
},
"number": "v1.19.9"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.21.3",
"versionStartIncluding": "1.21.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.19.9",
"versionStartIncluding": "1.19.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.17.2",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.16.8",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-3602"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-212"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264"
},
{
"name": "https://ubuntu.com/security/CVE-2021-3602",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/CVE-2021-3602"
},
{
"name": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"
},
{
"name": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-10-24T14:22Z",
"publishedDate": "2022-03-03T19:15Z"
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.