Security News > 2021 > September > Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects

Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
2021-09-16 06:38

Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks.

Travis CI is a hosted CI/CD solution used to build and test software projects hosted on source code repository systems like GitHub and Bitbucket.

"The desired behavior is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens," the vulnerability description reads.

Travis CI, in its own documentation, notes that "Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code."

Szilágyi also called out Travis CI for downplaying the incident and failing to admit the "Gravity" of the issue, while also urging GitHub to ban the company over its poor security posture and vulnerability disclosure processes.

"No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen."


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/2NpRawNWfCI/travis-ci-flaw-exposes-secrets-of.html