A security issue (CVE-2021-41077) has been identified in the Travis CI continuous integration service, designed to test and build projects developed on GitHub and Bitbucket, that allows you to find out the contents of confidential environment variables of public repositories using Travis CI. Among other things, the vulnerability allows you to find out the keys used in Travis CI for generating digital signatures, access keys and tokens for accessing the API.
The issue was present in Travis CI from September 3rd to 10th. It is noteworthy that information about the vulnerability was sent to the developers on September 7, but only a response was received with a recommendation to use key rotation. Not receiving proper feedback, the researchers contacted GitHub and offered to blacklist Travis. The problem was fixed only on September 10 after a large number of complaints received from various projects. After the incident, a more than strange problem report was published on the Travis CI website, which, instead of informing about the vulnerability fix, contained only an out-of-context recommendation to cycle access keys.
Following outrage at the withholding of information by several major projects, a more detailed report was posted on the Travis CI support forum, warning that the fork owner of any public repository, by submitting a pull request, could initiate the build process and gain unauthorized access to confidential environment variables of the original repository , set at build time based on fields from the ".travis.yml" file or defined through the Travis CI web interface. Such variables are stored in encrypted form and are only decrypted at build time. The problem only affected publicly accessible repositories that have forks (private repositories are not attacked).
Source: opennet.ru