CVE-2021-3602: Improper Removal of Sensitive Information Before Storage or Transfer
(updated )
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
References
- bugzilla.redhat.com/show_bug.cgi?id=1969264
- github.com/advisories/GHSA-7638-r9r3-rmjj
- github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0
- github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
- nvd.nist.gov/vuln/detail/CVE-2021-3602
- pkg.go.dev/vuln/GO-2022-0345
- ubuntu.com/security/CVE-2021-3602
Code Behaviors & Features
Detect and mitigate CVE-2021-3602 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →