Authorization Bypass Through User-Controlled Key play-with-docker

Impact
Give that CORS configuration was not correct, an attacker could use play-with-docker.com as an example, set origin header in http request as evil-play-with-docker.com, it will be echo in response header, which successfully bypass the CORS policy and retrieves basic user information.

Patches
It has been fixed in lastest version, Please upgrade to latest version

Workarounds
No, users have to upgrade version.

References

marcosnils published to play-with-docker/play-with-docker Mar 16, 2023

Published by the National Vulnerability Database Mar 16, 2023

Published to the GitHub Advisory Database Mar 17, 2023

Reviewed Mar 17, 2023

Last updated Mar 17, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code

Credits