VulnerableCode Package Details - pkg:golang/github.com/containers/buildah@1.21.3

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-thgc-p1tc-nbdw	Buildah processes using chroot isolation may leak environment values to intermediate processes ### Impact When running processes using "chroot" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running `buildah` in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original `buildah` process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during `buildah run`. The commands that `buildah` is instructed to run can read that information if they choose to. ### Patches Users should upgrade packages, or images which contain packages, to include version 1.21.3 or later. ### Workarounds As a workaround, invoking `buildah` in a container under `env -i` to have it started with a reinitialized environment should prevent the leakage. ### For more information If you have any questions or comments about this advisory: * Open an issue in [buildah](https://github.com/containers/buildah/issues) * Email us at [the buildah general mailing list](mailto:buildah@lists.buildah.io), or [the podman security mailing list](mailto:security@lists.podman.io) if it's sensitive.	CVE-2021-3602 GHSA-7638-r9r3-rmjj

Vulnerability

Summary

Aliases

VCID-thgc-p1tc-nbdw

Buildah processes using chroot isolation may leak environment values to intermediate processes ### Impact When running processes using "chroot" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running `buildah` in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original `buildah` process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during `buildah run`. The commands that `buildah` is instructed to run can read that information if they choose to. ### Patches Users should upgrade packages, or images which contain packages, to include version 1.21.3 or later. ### Workarounds As a workaround, invoking `buildah` in a container under `env -i` to have it started with a reinitialized environment should prevent the leakage. ### For more information If you have any questions or comments about this advisory: * Open an issue in [buildah](https://github.com/containers/buildah/issues) * Email us at [the buildah general mailing list](mailto:buildah@lists.buildah.io), or [the podman security mailing list](mailto:security@lists.podman.io) if it's sensitive.

CVE-2021-3602
GHSA-7638-r9r3-rmjj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:02:15.749562+00:00	GithubOSV Importer	Fixing	VCID-thgc-p1tc-nbdw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-7638-r9r3-rmjj/GHSA-7638-r9r3-rmjj.json	38.0.0

2026-04-01T13:02:15.749562+00:00

GithubOSV Importer

Fixing

VCID-thgc-p1tc-nbdw

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-7638-r9r3-rmjj/GHSA-7638-r9r3-rmjj.json

38.0.0