Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects


Travis CI

Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks.

The issue — tracked as CVE-2021-41077 — concerns unauthorized access and plunder of secret environment data associated with a public open-source project during the software build process. The problem is said to have lasted during an eight-day window between September 3 and September 10.

Felix Lange of Ethereum has been credited with discovering the leakage on September 7, with the company’s Péter Szilágyi pointing out that “anyone could exfiltrate these and gain lateral movement into 1000s of [organizations].”

Read more…