CVE-2021-41077 - OpenCVE

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Travis-ci	Travis Ci

Configuration 1 [-]

cpe:2.3:a:travis-ci:travis_ci:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blog.travis-ci.com/2021-09-13-bulletin
https://news.ycombinator.com/item?id=28523350
https://news.ycombinator.com/item?id=28524727
https://travis-ci.community/t/security-bulletin/12081
https://twitter.com/peter_szilagyi/status/1437646118700175360
https://twitter.com/peter_szilagyi/status/1437649838477283330

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-09-14T15:07:31

Updated: 2024-08-04T02:59:31.014Z

Reserved: 2021-09-14T00:00:00

Link: CVE-2021-41077

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-14T16:15:09.873

Modified: 2021-09-29T18:37:52.603

Link: CVE-2021-41077

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-14T18:19:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://twitter.com/peter_szilagyi/status/1437646118700175360"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/peter_szilagyi/status/1437649838477283330"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.travis-ci.com/2021-09-13-bulletin"}, {"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=28523350"}, {"tags": ["x_refsource_MISC"], "url": "https://travis-ci.community/t/security-bulletin/12081"}, {"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=28524727"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-41077", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://twitter.com/peter_szilagyi/status/1437646118700175360", "refsource": "MISC", "url": "https://twitter.com/peter_szilagyi/status/1437646118700175360"}, {"name": "https://twitter.com/peter_szilagyi/status/1437649838477283330", "refsource": "MISC", "url": "https://twitter.com/peter_szilagyi/status/1437649838477283330"}, {"name": "https://blog.travis-ci.com/2021-09-13-bulletin", "refsource": "MISC", "url": "https://blog.travis-ci.com/2021-09-13-bulletin"}, {"name": "https://news.ycombinator.com/item?id=28523350", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=28523350"}, {"name": "https://travis-ci.community/t/security-bulletin/12081", "refsource": "MISC", "url": "https://travis-ci.community/t/security-bulletin/12081"}, {"name": "https://news.ycombinator.com/item?id=28524727", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=28524727"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:59:31.014Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/peter_szilagyi/status/1437646118700175360"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/peter_szilagyi/status/1437649838477283330"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.travis-ci.com/2021-09-13-bulletin"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://news.ycombinator.com/item?id=28523350"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://travis-ci.community/t/security-bulletin/12081"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://news.ycombinator.com/item?id=28524727"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-41077", "datePublished": "2021-09-14T15:07:31", "dateReserved": "2021-09-14T00:00:00", "dateUpdated": "2024-08-04T02:59:31.014Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:travis-ci:travis_ci:*:*:*:*:*:*:*:*", "matchCriteriaId": "915D6ADD-CC7A-46C0-AEE1-D9B6C1688D2D", "versionEndIncluding": "2021-09-10", "versionStartIncluding": "2021-09-03", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process."}, {"lang": "es", "value": "El proceso de activaci\u00f3n en Travis CI, para determinadas compilaciones desde el 03-09-2021 hasta 10-09-2021, causa que los datos secretos tengan un intercambio inesperado que no est\u00e1 especificado por el archivo .travis.yml controlado por el cliente. En particular, el comportamiento deseado (si el archivo .travis.yml ha sido creado localmente por un cliente, y a\u00f1adido a git) es que el servicio Travis lleve a cabo las compilaciones de manera que impida el acceso p\u00fablico a los datos secretos del entorno espec\u00edficos del cliente, como las claves de firma, las credenciales de acceso y los tokens de la API. Sin embargo, durante el intervalo indicado de 8 d\u00edas, los datos secretos podr\u00edan ser revelados a un actor no autorizado que bifurcara un repositorio p\u00fablico e imprimiera archivos durante un proceso de construcci\u00f3n"}], "id": "CVE-2021-41077", "lastModified": "2021-09-29T18:37:52.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-14T16:15:09.873", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://blog.travis-ci.com/2021-09-13-bulletin"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=28523350"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=28524727"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://travis-ci.community/t/security-bulletin/12081"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://twitter.com/peter_szilagyi/status/1437646118700175360"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://twitter.com/peter_szilagyi/status/1437649838477283330"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}