CVE-2021-41077

HIGH

Travis CI 2021-09-03-2021-09-10 - Unauthorized Secret Data Exposure via Forked Repository Build Process

Title source: llm
STIX 2.1

Description

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.

References (6)

Core 6
Core References
Vendor Advisory x_refsource_misc
https://blog.travis-ci.com/2021-09-13-bulletin
Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=28523350
Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=28524727

Scores

CVSS v3 7.5
EPSS 0.0144
EPSS Percentile 69.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-862
Status published
Products (1)
travis-ci/travis_ci 2021-09-03 - 2021-09-10
Published Sep 14, 2021
Tracked Since Feb 18, 2026