CVE-2021-41077

Name of the Vulnerable Software and Affected Versions Travis CI versions 2021-09-03 through 2021-09-10

Description The activation process in Travis CI causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. This allows an unauthorized actor who forked a public repository and printed files during a build process to reveal customer-specific secret environment data, such as signing keys, access credentials, and API tokens.

Recommendations For Travis CI versions 2021-09-03 through 2021-09-10, consider restricting access to sensitive data and environment variables until a fix is available. As a temporary workaround, avoid using sensitive data in builds during this time period. At the moment, there is no information about a newer version that contains a fix for this vulnerability.