Secrets from Public Repositories Were Exposed Due to Travis CI Flaw

Travis CI, a continuous integration provider located in Berlin, has patched a severe issue that exposed signing keys, API keys, and access credentials, possibly putting thousands of companies at risk. Given the possible consequences, the firm has been criticized for not providing a more detailed description of the security vulnerability. Péter Szilágyi, the Ethereum cryptocurrency project’s team head, tweeted, “Anyone could exfiltrate these [secrets] and gain lateral movement into 1000s of orgs.”

The flaw, which has been tracked as CVE-2021-41077, has been fixed by Travis CI. It has been recommended that companies update their secrets as soon as possible. On Sept. 7, Szilágyi tweeted, the vulnerability was identified by Felix Lange and reported to Travis CI. Travis CI claims to have started fixing the vulnerability on September 3, indicating that it detected the problem before being contacted, although the timing is unclear. 

“The desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens,” the vulnerability description reads. “However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.” 

To put it another way, a public repository cloned from another might submit a pull request to get access to private environmental variables stored in the upstream repository. Encrypted environment variables are not exposed to pull requests fr

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: Secrets from Public Repositories Were Exposed Due to Travis CI Flaw