CVE-2021-3602

MEDIUM5.5EPSS 0.17%

Buildah processes using chroot isolation may leak environment values to intermediate processes

Published: 7/19/2021Modified: 3/13/2026
Also known as:GHSA-7638-r9r3-rmjjCGA-f5xh-xvfq-2rh4DEBIAN-CVE-2021-3602GO-2022-0345

Description

### Impact When running processes using "chroot" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running `buildah` in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original `buildah` process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during `buildah run`. The commands that `buildah` is instructed to run can read that information if they choose to. ### Patches Users should upgrade packages, or images which contain packages, to include version 1.21.3 or later. ### Workarounds As a workaround, invoking `buildah` in a container under `env -i` to have it started with a reinitialized environment should prevent the leakage. ### For more information If you have any questions or comments about this advisory: * Open an issue in [buildah](https://github.com/containers/buildah/issues) * Email us at [the buildah general mailing list](mailto:[email protected]), or [the podman security mailing list](mailto:[email protected]) if it's sensitive.

Affected packages (3)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (8)