CVE-2021-41077

{"id": "CVE-2021-41077", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-09-14T16:15:09.873", "references": [{"url": "https://blog.travis-ci.com/2021-09-13-bulletin", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://news.ycombinator.com/item?id=28523350", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://news.ycombinator.com/item?id=28524727", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://travis-ci.community/t/security-bulletin/12081", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/peter_szilagyi/status/1437646118700175360", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/peter_szilagyi/status/1437649838477283330", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://blog.travis-ci.com/2021-09-13-bulletin", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://news.ycombinator.com/item?id=28523350", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://news.ycombinator.com/item?id=28524727", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://travis-ci.community/t/security-bulletin/12081", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://twitter.com/peter_szilagyi/status/1437646118700175360", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://twitter.com/peter_szilagyi/status/1437649838477283330", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process."}, {"lang": "es", "value": "El proceso de activaci\u00f3n en Travis CI, para determinadas compilaciones desde el 03-09-2021 hasta 10-09-2021, causa que los datos secretos tengan un intercambio inesperado que no est\u00e1 especificado por el archivo .travis.yml controlado por el cliente. En particular, el comportamiento deseado (si el archivo .travis.yml ha sido creado localmente por un cliente, y a\u00f1adido a git) es que el servicio Travis lleve a cabo las compilaciones de manera que impida el acceso p\u00fablico a los datos secretos del entorno espec\u00edficos del cliente, como las claves de firma, las credenciales de acceso y los tokens de la API. Sin embargo, durante el intervalo indicado de 8 d\u00edas, los datos secretos podr\u00edan ser revelados a un actor no autorizado que bifurcara un repositorio p\u00fablico e imprimiera archivos durante un proceso de construcci\u00f3n"}], "lastModified": "2024-11-21T06:25:23.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:travis-ci:travis_ci:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "915D6ADD-CC7A-46C0-AEE1-D9B6C1688D2D", "versionEndIncluding": "2021-09-10", "versionStartIncluding": "2021-09-03"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}