CVE-2021-41077
HIGHTravis CI 2021-09-03-2021-09-10 - Unauthorized Secret Data Exposure via Forked Repository Build Process
Title source: llmDescription
The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.
References (6)
Core 6
Core References
Third Party Advisory x_refsource_misc
https://twitter.com/peter_szilagyi/status/1437646118700175360
Third Party Advisory x_refsource_misc
https://twitter.com/peter_szilagyi/status/1437649838477283330
Vendor Advisory x_refsource_misc
https://blog.travis-ci.com/2021-09-13-bulletin
Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=28523350
Vendor Advisory x_refsource_misc
https://travis-ci.community/t/security-bulletin/12081
Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=28524727
Scores
CVSS v3
7.5
EPSS
0.0144
EPSS Percentile
69.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-862
Status
published
Products (1)
travis-ci/travis_ci
2021-09-03 - 2021-09-10
Published
Sep 14, 2021
Tracked Since
Feb 18, 2026