The maintainers of Travis CI, a continuous integration provider located in Berlin, have patched a vulnerability that exposes API and signing keys as well as access credentials to unauthorised third parties. This vulnerability possibly impacts thousands of companies and the maintainers have been criticised for not releasing any technical advisories on the issue itself.
The vulnerability allows confidential data to be exposed by an unauthorised attacker simply by cloning a public repository which can trigger a pull request for private environmental variables stored in the upstream repository.
The vulnerability tracked as CVE-2021-41077 was quietly patched on the 10th of September. It was discovered and reported by researcher Felix Lange on the 7th of September.
It should be noted that the vulnerability is still under investigation and hasn’t been assigned a CVSS score as of yet.
Versions of Travis CI which remain unpatched could allow confidential data from private repositories to be leaked to an attacker. In addition, it poses a supply chain risk in CI/CD pipelines. An attacker who obtains secret variables or other sensitive information could utilise it for targeted attacks in an organisation’s CI/CD infrastructure.
It is imperative that users of Travis CI patch to the latest version immediately. However, if you are unsure of the version you are running, it is recommended to contact their support team, as Travis CI’s changelog nor documentation makes clear the version history.
Their supports email address is: firstname.lastname@example.org
Source: E Hacking News