DEBIAN-CVE-2021-3602

DEBIAN-CVE-2021-3602 PUBLISHED CVSS 5.5 MEDIUM

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Risk Scores

CVSS v3.1

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:14	golang-github-containers-buildah	0, 0, 0
Debian:13	golang-github-containers-buildah	0, 0, 0
Debian:11	golang-github-containers-buildah	, , *
Debian:12	golang-github-containers-buildah	0, 0, 0

Timeline

Mar 3, 2022 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2021-3602 advisory

Open in Interactive Console →