Fluid Attacks Database

Description

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/containers/buildah/chroot	>=0 <=1.16.7 \|\| >=1.17.0 <=1.17.1 \|\| >=1.18.0 <=1.19.8 \|\| >=1.20.0 <=1.21.2	v1.16.8, v1.17.2, v1.19.9, v1.21.3
debian 12	golang-github-containers-buildah	>=0 <1.22.3+ds1-1	1.22.3+ds1-1
debian 13	golang-github-containers-buildah	>=0 <1.22.3+ds1-1	1.22.3+ds1-1
debian 11	golang-github-containers-buildah	=1.19.6+dfsg1-1 \|\| =1.20.0+ds1-1 \|\| =1.20.1+ds1-1 \|\| =1.20.1+ds1-2 \|\| =1.21.0+ds1-2 \|\| =1.21.3+ds1-1 \|\| =1.22.3+ds1-1 \|\| =1.22.3+ds1-2 \|\| =1.23.1+ds1-1 \|\| =1.23.1+ds1-2 \|\| =1.23.1+ds1-3 \|\| =1.24.1+ds1-1 \|\| =1.26.1+ds1-1 \|\| =1.27.0+ds1-2 \|\| =1.27.0+ds1-3 \|\| =1.27.0+ds1-4 \|\| =1.27.0+ds1-5 \|\| =1.27.0+ds1-6 \|\| =1.28.0+ds1-1 \|\| =1.28.0+ds1-2 \|\| =1.28.0+ds1-3 \|\| =1.28.2+ds1-1 \|\| =1.28.2+ds1-2 \|\| =1.28.2+ds1-3 \|\| =1.29.0+ds1-1 \|\| =1.30.0+ds1-1 \|\| =1.30.0+ds1-2 \|\| =1.30.0+ds1-3 \|\| =1.31.2+ds1-1 \|\| =1.31.2+ds1-2 \|\| =1.31.2+ds1-3 \|\| =1.32.0+ds1-1 \|\| =1.32.0+ds1-2 \|\| =1.32.2+ds1-1 \|\| =1.33.1+ds1-1 \|\| =1.33.1+ds1-2 \|\| =1.33.3+ds1-1 \|\| =1.33.3+ds1-2 \|\| =1.33.5+ds1-3 \|\| =1.33.5+ds1-4 \|\| =1.33.7+ds1-1 \|\| =1.34.0+ds1-1 \|\| =1.34.0+ds1-2 \|\| =1.35.3+ds1-1 \|\| =1.35.3+ds1-2 \|\| =1.35.3+ds1-3 \|\| =1.37.0+ds1-1 \|\| =1.37.1+ds1-1 \|\| =1.37.1+ds1-2 \|\| =1.37.2+ds1-1 \|\| =1.37.2+ds1-2 \|\| =1.37.2+ds1-3 \|\| =1.37.3+ds1-1 \|\| =1.37.3+ds1-2 \|\| =1.37.3+ds1-3 \|\| =1.37.4+ds1-1 \|\| =1.37.5+ds1-1 \|\| =1.38.0+ds1-1 \|\| =1.38.0+ds1-2 \|\| =1.38.1+ds1-1 \|\| =1.39.0+ds1-1 \|\| =1.39.3+ds1-1 \|\| =1.41.4+ds1-1 \|\| =1.41.4+ds1-2 \|\| =1.41.4+ds1-3 \|\| =1.41.5+ds1-1 \|\| =1.41.5+ds1-2 \|\| =1.41.5+ds1-3 \|\| =1.41.5+ds1-4 \|\| =1.42.1+ds1-1 \|\| =1.42.1+ds1-2 \|\| =1.43.0+ds1-1 \|\| =1.43.0+ds1-2 \|\| =1.43.1+ds1-1	-
debian 14	golang-github-containers-buildah	>=0 <1.22.3+ds1-1	1.22.3+ds1-1
go	github.com/containers/buildah	>=0 <1.16.8 \|\| >=1.17.0 <1.17.2 \|\| >=1.18.0 <1.19.9 \|\| >=1.20.0 <1.21.3	1.16.8, 1.17.2, 1.19.9, 1.21.3
rpm rhel7	buildah	-	-
rpm rhel7	podman	-	-

Aliases

1. CVE-2021-36022. NVD-2021-36023. OSV-2021-36024. OSV-DEBIAN-2021-36025. GHSA-7638-r9r3-rmjj6. GCVE-2021-36027. GHSA-7638-r9r3-rmjj8. UBUNTU-CVE-2021-36029. SECURITY-TRACKER-CVE-2021-3602

References

1. https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb02. https://bugzilla.redhat.com/show_bug.cgi?id=19692643. https://pkg.go.dev/vuln/GO-2022-03454. https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.