CVE-2021-3602

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-3602
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-03-03 19:15:00 UTC
Updated2022-10-24 14:22:00 UTC
DescriptionAn information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Risk And Classification

Problem Types: CWE-212

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Buildah Project Buildah All All All All
Operating System Redhat Enterprise Linux 8.0 All All All
Operating System Redhat Enterprise Linux For Ibm Z Systems 8.0 All All All
Operating System Redhat Enterprise Linux For Power Little Endian 8.0 All All All

References

ReferenceSourceLinkTags
CVE-2021-3602 | Ubuntu MISC ubuntu.com
1969264 – (CVE-2021-3602) CVE-2021-3602 buildah: Host environment variables leaked in build container when using chroot isolation MISC bugzilla.redhat.com
chroot: fix environment value leakage to intermediate processes · containers/buildah@a468ce0 · GitHub MISC github.com
chroot isolation: environment value leakage to intermediate processes · Advisory · containers/buildah · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159464 Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2021-4154)
  • 159471 Oracle Enterprise Linux Security Update for container-tools:2.0 (ELSA-2021-4221)
  • 159472 Oracle Enterprise Linux Security Update for container-tools:3.0 (ELSA-2021-4222)
  • 183485 Debian Security Update for golang-github-containers-buildah (CVE-2021-3602)
  • 239805 Red Hat Update for container-tools:3.0 (RHSA-2021:4222)
  • 239806 Red Hat Update for container-tools:2.0 (RHSA-2021:4221)
  • 239825 Red Hat Update for container-tools:rhel8 security (RHSA-2021:4154)
  • 281738 Fedora Security Update for podman (FEDORA-2021-723a480816)
  • 281796 Fedora Security Update for buildah (FEDORA-2021-112557d2c5)
  • 281797 Fedora Security Update for buildah (FEDORA-2021-440e34200c)
  • 281798 Fedora Security Update for containernetworking (FEDORA-2021-0c53d8738d)
  • 501809 Alpine Linux Security Update for buildah
  • 501898 Alpine Linux Security Update for podman
  • 504591 Alpine Linux Security Update for buildah
  • 751822 OpenSUSE Security Update for conmon, libcontainers-common, libseccomp, podman (openSUSE-SU-2022:23018-1)
  • 752014 SUSE Enterprise Linux Security Update for conmon, libcontainers-common, libseccomp, podman (SUSE-SU-2022:23018-1)
  • 752601 SUSE Enterprise Linux Security Update for libcontainers-common (SUSE-SU-2022:3312-1)
  • 940445 AlmaLinux Security Update for container-tools:rhel8 (ALSA-2021:4154)
  • 940446 AlmaLinux Security Update for container-tools:3.0 (ALSA-2021:4222)
  • 940511 AlmaLinux Security Update for container-tools:2.0 (ALSA-2021:4221)
  • 960213 Rocky Linux Security Update for container-tools:rhel8 (RLSA-2021:4154)
  • 960356 Rocky Linux Security Update for container-tools:2.0 (RLSA-2021:4221)
  • 960447 Rocky Linux Security Update for container-tools:3.0 (RLSA-2021:4222)
  • 982002 Go (go) Security Update for github.com/containers/buildah (GHSA-7638-r9r3-rmjj)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report