document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #26100 from lkxed/20220616-The-Travis-CI-Vulnerability-Exposes-Sensitive-Open-Source-Project-Credentials

Browse Source 
[申领原文][news]: 20220616 The Travis CI Vulnerability Exposes Sensitive Open Source Project Credentials.md
This commit is contained in:
六开箱 2022-06-17 13:04:52 +08:00 committed by GitHub
commit e66c5b4797
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 37 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
sources/news/20220616 The Travis CI Vulnerability Exposes Sensitive Open Source Project Credentials.md
View File

@ -1,35 +0,0 @@
[#]: subject: "The Travis CI Vulnerability Exposes Sensitive Open Source Project Credentials"
[#]: via: "https://www.opensourceforu.com/2022/06/the-travis-ci-vulnerability-exposes-sensitive-open-source-project-credentials/"
[#]: author: "Laveesh Kocher https://www.opensourceforu.com/author/laveesh-kocher/"
[#]: collector: "lkxed"
[#]: translator: " "
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
The Travis CI Vulnerability Exposes Sensitive Open Source Project Credentials
======
![travis c][1]
A flaw in Travis CI continuous integration software exposed sensitive data from thousands of open source projects online. This is not the first time the software has encountered such security issues. Travis is a CI tool that allows software developers to automate the testing and integration of new code into open source projects. Aqua researchers discovered that it is possible to access up to 770 million logs from Travis CI free tier users, even those who have deleted their accounts, via one of the softwares APIs.
Attackers can extract user authentication tokens used to log in to cloud services such as GitHub, Docker Hub, and AWS from these logs, which are stored in clear text format. The researchers discovered more than 70,000 sensitive tokens and other confidential credentials in a sample of eight million logs. “All Travis CI free tier users are potentially exposed,” the Aqua team says. According to 2019 data, Travis CI was used in over 932,977 open source projects by over 600,000 unique users.
Such access to high-level user credentials poses a risk to the software developers who use the product as well as their customers. “If an attacker obtains these credentials, there is nothing stopping them from introducing malicious code into libraries or the build process,” explains Bharat Mistry, security Trend Micros technical director for the UK and Ireland. “This flaw could undoubtedly lead to digital supply chain attacks.”
Supply chain attacks can be extremely damaging. In 2020, the Solar Winds attack gave state-sponsored Russian hackers access to the systems of thousands of businesses and government organisations. The Kaseya supply chain attack in 2021 allowed criminals to encrypt the data of over 1,500 companies at the same time, holding them all hostage.
--------------------------------------------------------------------------------
via: https://www.opensourceforu.com/2022/06/the-travis-ci-vulnerability-exposes-sensitive-open-source-project-credentials/
作者:[Laveesh Kocher][a]
选题:[lkxed][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.opensourceforu.com/author/laveesh-kocher/
[b]: https://github.com/lkxed
[1]: https://www.opensourceforu.com/wp-content/uploads/2022/06/travis-c.png

37
translated/news/20220616 The Travis CI Vulnerability Exposes Sensitive Open Source Project Credentials.md Normal file
View File

@ -0,0 +1,37 @@
[#]: subject: "The Travis CI Vulnerability Exposes Sensitive Open Source Project Credentials"
[#]: via: "https://www.opensourceforu.com/2022/06/the-travis-ci-vulnerability-exposes-sensitive-open-source-project-credentials/"
[#]: author: "Laveesh Kocher https://www.opensourceforu.com/author/laveesh-kocher/"
[#]: collector: "lkxed"
[#]: translator: "lkxed"
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
Travis CI 漏洞暴露了敏感的开源项目凭证
======
![Travis CI][1]
Travis CI 持续集成工具中的一个缺陷暴露了来自数千个在线开源项目的敏感数据。这并不是该软件第一次遇到此类安全问题。
Travis CI 是一个持续集成工具它帮助软件开发者实现自动化地测试新代码并将新代码集成到开源项目中。Aqua 研究人员发现,通过该软件的一个 API可以访问来自 Travis CI 免费用户的多达 7.7 亿条“日志”(即使用户的账号已经删除)。
攻击者可以从这些明文存储的日志中,提取出用于登录 GitHub、Docker Hub 和 AWS 等云服务的用户身份验证令牌。研究人员在 800 万份日志样本中,发现了 70000 多个敏感令牌和其他机密凭证。Aqua 团队认为“所有 Travis CI 免费用户都有可能暴露”。根据 2019 年的数据Travis CI 被超过 60 万名独立用户,用于超过 932977 个开源项目。
这种对高级用户凭证的访问,会给使用该产品的软件开发者及其客户带来风险。“趋势科技”英国和爱尔兰安全技术总监 Bharat Mistry 解释道:“如果攻击者获得了这些凭据,就没有什么能阻止他们将恶意代码引入库或构建过程。这个缺陷无疑会导致数字供应链攻击。”
供应链攻击可能极具破坏性。2020 年的 <ruby>太阳风<rt>Solar Winds</rt></ruby> 攻击使国家资助的俄罗斯黑客能够访问数千家企业和政府组织的系统。2021 年的 Kaseya 供应链攻击,使犯罪分子可以同时加密 1500 多家公司的数据,将他们全部扣为人质。
--------------------------------------------------------------------------------
via: https://www.opensourceforu.com/2022/06/the-travis-ci-vulnerability-exposes-sensitive-open-source-project-credentials/
作者:[Laveesh Kocher][a]
选题:[lkxed][b]
译者:[lkxed](https://github.com/lkxed)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.opensourceforu.com/author/laveesh-kocher/
[b]: https://github.com/lkxed
[1]: https://www.opensourceforu.com/wp-content/uploads/2022/06/travis-c.png