{"api_version":"1","generated_at":"2026-04-23T01:32:29+00:00","cve":"CVE-2021-3602","urls":{"html":"https://cve.report/CVE-2021-3602","api":"https://cve.report/api/cve/CVE-2021-3602.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3602","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3602"},"summary":{"title":"CVE-2021-3602","description":"An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-03-03 19:15:00","updated_at":"2022-10-24 14:22:00"},"problem_types":["CWE-212"],"metrics":[],"references":[{"url":"https://ubuntu.com/security/CVE-2021-3602","name":"https://ubuntu.com/security/CVE-2021-3602","refsource":"MISC","tags":[],"title":"CVE-2021-3602 | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1969264","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1969264","refsource":"MISC","tags":[],"title":"1969264 – (CVE-2021-3602) CVE-2021-3602 buildah: Host environment variables leaked in build container when using chroot isolation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0","name":"https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0","refsource":"MISC","tags":[],"title":"chroot: fix environment value leakage to intermediate processes · containers/buildah@a468ce0 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj","name":"https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj","refsource":"MISC","tags":[],"title":"chroot isolation: environment value leakage to intermediate processes · Advisory · containers/buildah · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3602","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3602","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"buildah_project","cpe5":"buildah","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_ibm_z_systems","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3602","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_little_endian","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-3602","qid":"159464","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2021-4154)"},{"cve":"CVE-2021-3602","qid":"159471","title":"Oracle Enterprise Linux Security Update for container-tools:2.0 (ELSA-2021-4221)"},{"cve":"CVE-2021-3602","qid":"159472","title":"Oracle Enterprise Linux Security Update for container-tools:3.0 (ELSA-2021-4222)"},{"cve":"CVE-2021-3602","qid":"183485","title":"Debian Security Update for golang-github-containers-buildah (CVE-2021-3602)"},{"cve":"CVE-2021-3602","qid":"239805","title":"Red Hat Update for container-tools:3.0 (RHSA-2021:4222)"},{"cve":"CVE-2021-3602","qid":"239806","title":"Red Hat Update for container-tools:2.0 (RHSA-2021:4221)"},{"cve":"CVE-2021-3602","qid":"239825","title":"Red Hat Update for container-tools:rhel8 security (RHSA-2021:4154)"},{"cve":"CVE-2021-3602","qid":"281738","title":"Fedora Security Update for podman (FEDORA-2021-723a480816)"},{"cve":"CVE-2021-3602","qid":"281796","title":"Fedora Security Update for buildah (FEDORA-2021-112557d2c5)"},{"cve":"CVE-2021-3602","qid":"281797","title":"Fedora Security Update for buildah (FEDORA-2021-440e34200c)"},{"cve":"CVE-2021-3602","qid":"281798","title":"Fedora Security Update for containernetworking (FEDORA-2021-0c53d8738d)"},{"cve":"CVE-2021-3602","qid":"501809","title":"Alpine Linux Security Update for buildah"},{"cve":"CVE-2021-3602","qid":"501898","title":"Alpine Linux Security Update for podman"},{"cve":"CVE-2021-3602","qid":"504591","title":"Alpine Linux Security Update for buildah"},{"cve":"CVE-2021-3602","qid":"751822","title":"OpenSUSE Security Update for conmon, libcontainers-common, libseccomp, podman (openSUSE-SU-2022:23018-1)"},{"cve":"CVE-2021-3602","qid":"752014","title":"SUSE Enterprise Linux Security Update for conmon, libcontainers-common, libseccomp, podman (SUSE-SU-2022:23018-1)"},{"cve":"CVE-2021-3602","qid":"752601","title":"SUSE Enterprise Linux Security Update for libcontainers-common (SUSE-SU-2022:3312-1)"},{"cve":"CVE-2021-3602","qid":"940445","title":"AlmaLinux Security Update for container-tools:rhel8 (ALSA-2021:4154)"},{"cve":"CVE-2021-3602","qid":"940446","title":"AlmaLinux Security Update for container-tools:3.0 (ALSA-2021:4222)"},{"cve":"CVE-2021-3602","qid":"940511","title":"AlmaLinux Security Update for container-tools:2.0 (ALSA-2021:4221)"},{"cve":"CVE-2021-3602","qid":"960213","title":"Rocky Linux Security Update for container-tools:rhel8 (RLSA-2021:4154)"},{"cve":"CVE-2021-3602","qid":"960356","title":"Rocky Linux Security Update for container-tools:2.0 (RLSA-2021:4221)"},{"cve":"CVE-2021-3602","qid":"960447","title":"Rocky Linux Security Update for container-tools:3.0 (RLSA-2021:4222)"},{"cve":"CVE-2021-3602","qid":"982002","title":"Go (go) Security Update for github.com/containers/buildah (GHSA-7638-r9r3-rmjj)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-3602","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"buildah","version":{"version_data":[{"version_value":"Affects v1.21.2, v1.20.0, v1.19.8, v1.18.0, v1.17.1, v1.16.7, Fixed in v1.21.3, v1.19.9, v1.17.2, v1.16.8, v1.22.0 and above."}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1969264","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1969264"},{"refsource":"MISC","name":"https://ubuntu.com/security/CVE-2021-3602","url":"https://ubuntu.com/security/CVE-2021-3602"},{"refsource":"MISC","name":"https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj","url":"https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"},{"refsource":"MISC","name":"https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0","url":"https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0"}]},"description":{"description_data":[{"lang":"eng","value":"An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."}]}},"nvd":{"publishedDate":"2022-03-03 19:15:00","lastModifiedDate":"2022-10-24 14:22:00","problem_types":["CWE-212"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:P/I:N/A:N","accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":1.9},"severity":"LOW","exploitabilityScore":3.4,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*","versionStartIncluding":"1.21.0","versionEndExcluding":"1.21.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*","versionStartIncluding":"1.19.0","versionEndExcluding":"1.19.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*","versionStartIncluding":"1.17.0","versionEndExcluding":"1.17.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*","versionEndExcluding":"1.16.8","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3602","Ordinal":"210166","Title":"CVE-2021-3602","CVE":"CVE-2021-3602","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3602","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}