CVE-2021-41077
Description
The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens. However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Travis CI/Travis CIdescription
Patches
Vulnerability mechanics
Root cause
"The Travis CI build activation process did not properly isolate secret environment variables when processing pull requests from forked public repositories, allowing the forked build to access the original repository's secrets."
Attack vector
An attacker forks a public repository on a supported platform (e.g., GitHub, BitBucket, Assembla) and opens a pull request against the original repository. During the build triggered by that pull request, the attacker prints files from the build environment, which exposes secret environment data (signing keys, access credentials, API tokens) from the original repository. The advisory notes that secrets remain encrypted in the Travis CI database but are decrypted during the build, allowing the forked build to access them [ref_id=1].
Affected code
The activation process in Travis CI during September 3–10, 2021, allowed secrets from a public repository to be exposed to a forked repository during a build triggered by a pull request. The advisory states that a forked public repository could file a pull request and 'obtain unauthorized access to secret from the original Public repository with a condition of printing some of the files during the build process' [ref_id=1]. No specific function or file names are provided in the advisory.
What the fix does
Travis CI deployed a series of security patches starting on September 3, 2021, to resolve the issue [ref_id=1]. The advisory does not include a code-level diff, but the fix presumably restricts secret access during builds triggered by pull requests from forked repositories. The advisory recommends that all users rotate their secrets regularly as a general security practice.
Preconditions
- configThe target repository must be a public repository that has been forked by an attacker.
- inputThe attacker must be able to open a pull request from the fork to the original repository.
- inputThe attacker must print files during the build process to exfiltrate the secrets.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- blog.travis-ci.com/2021-09-13-bulletinmitrex_refsource_MISC
- news.ycombinator.com/itemmitrex_refsource_MISC
- news.ycombinator.com/itemmitrex_refsource_MISC
- travis-ci.community/t/security-bulletin/12081mitrex_refsource_MISC
- twitter.com/peter_szilagyi/status/1437646118700175360mitrex_refsource_MISC
- twitter.com/peter_szilagyi/status/1437649838477283330mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.