CVE-2021-3602

Sažetak

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=1969264
https://ubuntu.com/security/CVE-2021-3602
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0

CVSS

Base:	1.9
Impact:	2.9
Exploitability:	3.4

Pristup

Vektor	Složenost	Autentikacija
LOCAL	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:L/AC:M/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

24-10-2022 - 14:22

Objavljeno

03-03-2022 - 19:15