CVE-2021-41077

Published on: 09/14/2021 12:00:00 AM UTC

Last Modified on: 09/14/2021 07:15:00 PM UTC

The following vulnerability was found:

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.

CVE References

Description Tags Link
JavaScript is not available. nitter.domain.glass
text/html
URL Logo MISC twitter.com/peter_szilagyi/status/1437649838477283330
The Travis CI Blog: Security Bulletin blog.travis-ci.com
text/html
URL Logo MISC blog.travis-ci.com/2021-09-13-bulletin
Travis CI Leaked Secure Environment Variables | Hacker News news.ycombinator.com
text/html
URL Logo MISC news.ycombinator.com/item?id=28523350
Security Bulletin - Announcements - Travis CI Community travis-ci.community
text/html
URL Logo MISC travis-ci.community/t/security-bulletin/12081
Péter Szilágyi (karalabe.eth) on Twitter: "Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens. Anyone could exfiltrate these and gain lateral movement into 1000s of orgs. #security 1/4 https://t.co/i23jFzAjjH" nitter.domain.glass
text/html
URL Logo MISC twitter.com/peter_szilagyi/status/1437646118700175360
Secure env vars of all public travisci repositories were injected into PR builds | Hacker News news.ycombinator.com
text/html
URL Logo MISC news.ycombinator.com/item?id=28524727

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-41077 : The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secr… twitter.com/i/web/status/1… 2021-09-14 15:43:00
Twitter Icon @azu_re CVEが登録されてた。 "CVE - CVE-2021-41077" 2021-09-14 15:53:34
Twitter Icon @alexanderjaeger And also a CVE has been assigned: @CVEnew #CVE202141077 2021-09-15 08:44:20
Twitter Icon @_lijnk @Jeremy_Kirk @peter_szilagyi 2021-09-15 14:33:30
Twitter Icon @autumn_good_35 CVE-2021-41077 Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects thehackernews.com/2021/09/travis… 2021-09-16 15:10:13
Twitter Icon @wallofsheep #Travis CI Flaw exposes secrets of thousands of #opensource projects! CVE-2021-41077 - fork a public repo with a p… twitter.com/i/web/status/1… 2021-09-16 18:50:02
Twitter Icon @HackersOmhe Error de ciberseguridad en Travis CI 2021-09-17 03:46:39
Twitter Icon @eagerbeavertech thehackernews.com/2021/09/travis… The issue - tracked as CVE-2021-41077 - concerns unauthorized access and plunder of sec… twitter.com/i/web/status/1… 2021-09-17 04:03:32
Twitter Icon @eed3si9n due to the poor handling of the recent security incident CVE-2021-41077, I'm suspending Travis CI integration on al… twitter.com/i/web/status/1… 2021-09-19 02:40:49
Twitter Icon @sickcodes Travis CI’s advisory for CVE-2021-41077 is ~45 words of blaming the victims of their own vulnerability. The adviso… twitter.com/i/web/status/1… 2021-09-19 08:13:48
Twitter Icon @kabukawa CVE-2021-41077 2021-09-19 11:10:33
© CVE.report 2021 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report