Vulnerability Details : CVE-2021-41077
The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.
Products affected by CVE-2021-41077
- cpe:2.3:a:travis-ci:travis_ci:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41077
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41077
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-41077
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-41077
-
https://news.ycombinator.com/item?id=28524727
Secure env vars of all public travisci repositories were injected into PR builds | Hacker NewsThird Party Advisory
-
https://twitter.com/peter_szilagyi/status/1437646118700175360
Péter Szilágyi (karalabe.eth) on Twitter: "Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens.Third Party Advisory
-
https://blog.travis-ci.com/2021-09-13-bulletin
The Travis CI Blog: Security BulletinVendor Advisory
-
https://news.ycombinator.com/item?id=28523350
Travis CI Leaked Secure Environment Variables | Hacker NewsThird Party Advisory
-
https://travis-ci.community/t/security-bulletin/12081
Security Bulletin - Announcements - Travis CI CommunityVendor Advisory
-
https://twitter.com/peter_szilagyi/status/1437649838477283330
Péter Szilágyi (karalabe.eth) on Twitter: "Just for posterity, here's their original announcement. I do hope they update it to something more meaningful. https://t.co/TTSGiCshh9" / TwitterThird Party Advisory
Jump to