In the continuous integration service Travis Ci , intended for testing and assembling projects developed on GitHub and Bitbucket, Detected Safety problem ( CVE -2021-41077 ), allowing you to know the contents of confidential environment variables for any public repository using Travis Ci. Including vulnerability allows you to find out the keys used in Travis Ci to form digital signatures, access keys and tokens to appeal to API.
The problem was present at Travis CI from 3 to 10 September. It is noteworthy that information about the vulnerability was transferred to developers on September 7, but in response, only a receipt was received with the recommendation to use the rotation of the keys. Without receiving proper feedback, the researchers contacted GitHub and offered to bring Travis into a black list. The problem was eliminated only on September 10 after a large number of complaints from different projects. After the incident on the company’s website, it was published more than strange Report on the problem , in which instead of informing about the problem It contained only indicated outside the context Recommendation cyclically change access keys.
After indignant by the concealment of information expressed by several large projects, in the TRAVIS CI support forum was Published more detailed The report in which it was warned that the owner of the forka of any public repository through sending a Pull request could initiate the assembly process and get unauthorized access to Confidential environment variables the original repository, set up during the assembly based on fields from the .travis.yml file or defined via the Travis Ci Web interface. Such variables are stored in encrypted form and decrypt only during assembly. The problem concerned only publicly available repositories that have forces (private repositories are not affected by attack).