{"api_version":"1","generated_at":"2026-04-24T18:31:26+00:00","cve":"CVE-2021-41077","urls":{"html":"https://cve.report/CVE-2021-41077","api":"https://cve.report/api/cve/CVE-2021-41077.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-41077","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-41077"},"summary":{"title":"CVE-2021-41077","description":"The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-09-14 16:15:00","updated_at":"2021-09-29 18:37:00"},"problem_types":["CWE-862"],"metrics":[],"references":[{"url":"https://twitter.com/peter_szilagyi/status/1437649838477283330","name":"https://twitter.com/peter_szilagyi/status/1437649838477283330","refsource":"MISC","tags":[],"title":"JavaScript is not available.","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://blog.travis-ci.com/2021-09-13-bulletin","name":"https://blog.travis-ci.com/2021-09-13-bulletin","refsource":"MISC","tags":[],"title":"The Travis CI Blog: Security Bulletin","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://news.ycombinator.com/item?id=28523350","name":"https://news.ycombinator.com/item?id=28523350","refsource":"MISC","tags":[],"title":"Travis CI Leaked Secure Environment Variables | Hacker News","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://travis-ci.community/t/security-bulletin/12081","name":"https://travis-ci.community/t/security-bulletin/12081","refsource":"MISC","tags":[],"title":"Security Bulletin - Announcements - Travis CI Community","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://twitter.com/peter_szilagyi/status/1437646118700175360","name":"https://twitter.com/peter_szilagyi/status/1437646118700175360","refsource":"MISC","tags":[],"title":"Péter Szilágyi (karalabe.eth) on Twitter: \"Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens. \n\nAnyone could exfiltrate these and gain lateral movement into 1000s of orgs. #security 1/4\n\nhttps://t.co/i23jFzAjjH\"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://news.ycombinator.com/item?id=28524727","name":"https://news.ycombinator.com/item?id=28524727","refsource":"MISC","tags":[],"title":"Secure env vars of all public travisci repositories were injected into PR builds | Hacker News","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-41077","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41077","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"41077","vulnerable":"1","versionEndIncluding":"2021-09-10","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"travis-ci","cpe5":"travis_ci","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-41077","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://twitter.com/peter_szilagyi/status/1437646118700175360","refsource":"MISC","name":"https://twitter.com/peter_szilagyi/status/1437646118700175360"},{"url":"https://twitter.com/peter_szilagyi/status/1437649838477283330","refsource":"MISC","name":"https://twitter.com/peter_szilagyi/status/1437649838477283330"},{"url":"https://blog.travis-ci.com/2021-09-13-bulletin","refsource":"MISC","name":"https://blog.travis-ci.com/2021-09-13-bulletin"},{"url":"https://news.ycombinator.com/item?id=28523350","refsource":"MISC","name":"https://news.ycombinator.com/item?id=28523350"},{"refsource":"MISC","name":"https://travis-ci.community/t/security-bulletin/12081","url":"https://travis-ci.community/t/security-bulletin/12081"},{"refsource":"MISC","name":"https://news.ycombinator.com/item?id=28524727","url":"https://news.ycombinator.com/item?id=28524727"}]}},"nvd":{"publishedDate":"2021-09-14 16:15:00","lastModifiedDate":"2021-09-29 18:37:00","problem_types":["CWE-862"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:travis-ci:travis_ci:*:*:*:*:*:*:*:*","versionStartIncluding":"2021-09-03","versionEndIncluding":"2021-09-10","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"41077","Ordinal":"216850","Title":"CVE-2021-41077","CVE":"CVE-2021-41077","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"41077","Ordinal":"1","NoteData":"The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"41077","Ordinal":"2","NoteData":"2021-09-14","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"41077","Ordinal":"3","NoteData":"2021-09-14","Type":"Other","Title":"Modified"}]}}}