An environment variable exposure vulnerability in ABB Crabbox allows attackers to hijack API tokens and cloud credentials, leading to potential unauthorized access to remote systems.

The application utilizes overly permissive environment variable allowlisting. Attackers with control over a repository can force the serialization of sensitive tokens into remote execution environments.

With a CVSS score of 9.1, this vulnerability poses a severe risk of credential compromise. Exposure of API tokens and cloud credentials allows attackers to pivot into cloud infrastructure, resulting in unauthorized access to sensitive company data and potential infrastructure takeover.

Immediate Action: Update Crabbox to version 0.12.0 or later and rotate any API or cloud credentials that may have been exposed.

Proactive Monitoring: Monitor environment variable configuration files for unauthorized changes and audit logs for anomalous remote command execution.

Compensating Controls: Implement strict CI/CD pipeline security controls and utilize secret management services to prevent the exposure of sensitive tokens in environment variables.

Public Exploit Available: Unknown

This vulnerability represents a significant risk to the integrity of development and deployment pipelines. Organizations must update Crabbox immediately and treat all previously stored credentials as compromised, necessitating a full rotation of affected keys.