CVE-2021-41077 (GCVE-0-2021-41077)

Vulnerability from cvelistv5 – Published: 2021-09-14 15:07 – Updated: 2024-08-04 02:59
VLAI?
Summary
The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.014Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://twitter.com/peter_szilagyi/status/1437646118700175360"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://twitter.com/peter_szilagyi/status/1437649838477283330"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.travis-ci.com/2021-09-13-bulletin"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=28523350"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://travis-ci.community/t/security-bulletin/12081"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=28524727"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-14T18:19:08.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://twitter.com/peter_szilagyi/status/1437646118700175360"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://twitter.com/peter_szilagyi/status/1437649838477283330"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.travis-ci.com/2021-09-13-bulletin"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://news.ycombinator.com/item?id=28523350"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://travis-ci.community/t/security-bulletin/12081"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://news.ycombinator.com/item?id=28524727"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-41077",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://twitter.com/peter_szilagyi/status/1437646118700175360",
              "refsource": "MISC",
              "url": "https://twitter.com/peter_szilagyi/status/1437646118700175360"
            },
            {
              "name": "https://twitter.com/peter_szilagyi/status/1437649838477283330",
              "refsource": "MISC",
              "url": "https://twitter.com/peter_szilagyi/status/1437649838477283330"
            },
            {
              "name": "https://blog.travis-ci.com/2021-09-13-bulletin",
              "refsource": "MISC",
              "url": "https://blog.travis-ci.com/2021-09-13-bulletin"
            },
            {
              "name": "https://news.ycombinator.com/item?id=28523350",
              "refsource": "MISC",
              "url": "https://news.ycombinator.com/item?id=28523350"
            },
            {
              "name": "https://travis-ci.community/t/security-bulletin/12081",
              "refsource": "MISC",
              "url": "https://travis-ci.community/t/security-bulletin/12081"
            },
            {
              "name": "https://news.ycombinator.com/item?id=28524727",
              "refsource": "MISC",
              "url": "https://news.ycombinator.com/item?id=28524727"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-41077",
    "datePublished": "2021-09-14T15:07:31.000Z",
    "dateReserved": "2021-09-14T00:00:00.000Z",
    "dateUpdated": "2024-08-04T02:59:31.014Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-41077",
      "date": "2026-04-25",
      "epss": "0.00426",
      "percentile": "0.62338"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:travis-ci:travis_ci:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2021-09-03\", \"versionEndIncluding\": \"2021-09-10\", \"matchCriteriaId\": \"915D6ADD-CC7A-46C0-AEE1-D9B6C1688D2D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.\"}, {\"lang\": \"es\", \"value\": \"El proceso de activaci\\u00f3n en Travis CI, para determinadas compilaciones desde el 03-09-2021 hasta 10-09-2021, causa que los datos secretos tengan un intercambio inesperado que no est\\u00e1 especificado por el archivo .travis.yml controlado por el cliente. En particular, el comportamiento deseado (si el archivo .travis.yml ha sido creado localmente por un cliente, y a\\u00f1adido a git) es que el servicio Travis lleve a cabo las compilaciones de manera que impida el acceso p\\u00fablico a los datos secretos del entorno espec\\u00edficos del cliente, como las claves de firma, las credenciales de acceso y los tokens de la API. Sin embargo, durante el intervalo indicado de 8 d\\u00edas, los datos secretos podr\\u00edan ser revelados a un actor no autorizado que bifurcara un repositorio p\\u00fablico e imprimiera archivos durante un proceso de construcci\\u00f3n\"}]",
      "id": "CVE-2021-41077",
      "lastModified": "2024-11-21T06:25:23.907",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-09-14T16:15:09.873",
      "references": "[{\"url\": \"https://blog.travis-ci.com/2021-09-13-bulletin\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://news.ycombinator.com/item?id=28523350\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://news.ycombinator.com/item?id=28524727\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://travis-ci.community/t/security-bulletin/12081\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://twitter.com/peter_szilagyi/status/1437646118700175360\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://twitter.com/peter_szilagyi/status/1437649838477283330\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://blog.travis-ci.com/2021-09-13-bulletin\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://news.ycombinator.com/item?id=28523350\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://news.ycombinator.com/item?id=28524727\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://travis-ci.community/t/security-bulletin/12081\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://twitter.com/peter_szilagyi/status/1437646118700175360\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://twitter.com/peter_szilagyi/status/1437649838477283330\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-41077\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-09-14T16:15:09.873\",\"lastModified\":\"2024-11-21T06:25:23.907\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.\"},{\"lang\":\"es\",\"value\":\"El proceso de activaci\u00f3n en Travis CI, para determinadas compilaciones desde el 03-09-2021 hasta 10-09-2021, causa que los datos secretos tengan un intercambio inesperado que no est\u00e1 especificado por el archivo .travis.yml controlado por el cliente. En particular, el comportamiento deseado (si el archivo .travis.yml ha sido creado localmente por un cliente, y a\u00f1adido a git) es que el servicio Travis lleve a cabo las compilaciones de manera que impida el acceso p\u00fablico a los datos secretos del entorno espec\u00edficos del cliente, como las claves de firma, las credenciales de acceso y los tokens de la API. Sin embargo, durante el intervalo indicado de 8 d\u00edas, los datos secretos podr\u00edan ser revelados a un actor no autorizado que bifurcara un repositorio p\u00fablico e imprimiera archivos durante un proceso de construcci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:travis-ci:travis_ci:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2021-09-03\",\"versionEndIncluding\":\"2021-09-10\",\"matchCriteriaId\":\"915D6ADD-CC7A-46C0-AEE1-D9B6C1688D2D\"}]}]}],\"references\":[{\"url\":\"https://blog.travis-ci.com/2021-09-13-bulletin\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://news.ycombinator.com/item?id=28523350\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://news.ycombinator.com/item?id=28524727\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://travis-ci.community/t/security-bulletin/12081\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://twitter.com/peter_szilagyi/status/1437646118700175360\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://twitter.com/peter_szilagyi/status/1437649838477283330\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://blog.travis-ci.com/2021-09-13-bulletin\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://news.ycombinator.com/item?id=28523350\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://news.ycombinator.com/item?id=28524727\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://travis-ci.community/t/security-bulletin/12081\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://twitter.com/peter_szilagyi/status/1437646118700175360\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://twitter.com/peter_szilagyi/status/1437649838477283330\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.