Candidate: CVE-2021-3602
PublicDate: 2022-03-03 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3602
 https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
 https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0 (main)
 https://github.com/containers/buildah/commit/23c478b815fb93c094070baa336bcb6a27c01683 (release-1.21)
 https://github.com/containers/buildah/commit/f4f2a7fc78fa4f12e2f6e6c4ab450aae0d182f3e (release-1.19)
Description:
 An information disclosure flaw was found in Buildah, when building
 containers using chroot isolation. Running processes in container builds
 (e.g. Dockerfile RUN commands) can access environment variables from parent
 and grandparent processes. When run in a container in a CI/CD environment,
 environment variables may include sensitive information that was shared
 with the container in order to be used only by Buildah itself (e.g.
 container registry credentials).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM]


Patches_golang-github-containers-buildah:
upstream_golang-github-containers-buildah: needs-triage
trusty_golang-github-containers-buildah: ignored (out of standard support)
trusty/esm_golang-github-containers-buildah: DNE
xenial_golang-github-containers-buildah: ignored (out of standard support)
bionic_golang-github-containers-buildah: DNE
focal_golang-github-containers-buildah: DNE
groovy_golang-github-containers-buildah: ignored (reached end-of-life)
hirsute_golang-github-containers-buildah: ignored (reached end-of-life)
impish_golang-github-containers-buildah: needed
jammy_golang-github-containers-buildah: needed
devel_golang-github-containers-buildah: needed