CVE-2021-3602 — Environment variable leakage in github.com/containers/buildah

Description

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

How to fix CVE-2021-3602

To remediate CVE-2021-3602, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.16.8 or later
—upgrade to 1.22.0 or later

Is CVE-2021-3602 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0
from 0, < 1.16.8
from 0, < 1.22.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3602
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-3602
PATCHgithub.com/containers/buildah
WEBbugzilla.redhat.com/show_bug.cgi?id=1969264
WEB