Crabbox Authentication Bypass Vulnerability Allowing Impersonation of Owners or Organizations

An authentication bypass vulnerability has been identified in Crabbox versions prior to 0.12.0. This vulnerability allows non-admin users who utilize shared tokens to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers into requests authenticated with a shared token. This manipulation bypasses authorization checks, enabling access to owner or organization-specific lease operations associated with the targeted accounts.

Impact

Exploitation of this vulnerability allows for unauthorized impersonation of owners or organizations, granting access to sensitive lease operations within the victim's account.

Reproduction

To reproduce this vulnerability, send a request with a shared token that includes spoofed X-Crabbox-Owner and X-Crabbox-Org headers. The request will bypass authentication checks and allow access to owner or organization-specific operations.

Remediation

Users can update to Crabbox version 0.12.0 or later, where this vulnerability has been fixed.