Travis CI, a continuous integration provider, has fixed a severe security vulnerability that revealed API keys, access tokens, and credentials, putting businesses that set public source code repositories at risk.
Travis CI is an online CI/CD (Continuous Integration and Continuous Deployment) solution for developing and testing software projects hosted on Bitbucket and GitHub.
The vulnerability, assigned the code CVE-2021-41077, leads to unauthorized access and theft of secret environment data connected with a public open-source project during the software development process.
The leakage was discovered by Felix Lange of Ethereum on September 7. The company’s Péter Szilágyi pointed out “anyone could exfiltrate these and gain lateral movement into 1000s of [organizations].”
The problem has lasted for eight days, from September 3 to September 10, before it was fixed.
“During the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process,” Travis CI notes in its documentation.
A branch of a public repository might submit a pull request to get access to private environmental variables configured in the source repository. “Encrypted environment variables are not exposed to pull requests from forks owing to the security potentially exposing sensitive information to unknown code,” Travis CI says.
It’s also noted that an external pull request may disclose environment variables: A pull request received from a fork of the source repository might be modified to reveal environment variables. Pull requests may be issued by anybody who forks the repository on GitHub. Therefore, the upstream repository’s manager would have no defense against this attack.
On September 13, the Berlin-based DevOps platform firm issued a brief “security advisory,” urging customers to rotate their keys regularly. It then released a second notification on its community forums, claiming that it had discovered no indication that malicious parties had misused the problem.
Szilágyi advises everyone immediately and indefinitely migrate away from Travis CI due to their negligent handling of this problem and subsequent unwillingness to alert users about possibly exposed secrets.
