CVE-2023-28109 — Authorization Bypass Through User-Controlled Key play-with-docker

Description

Impact Give that CORS configuration was not correct, an attacker could use [play-with-docker.com](http://play-with-docker.com/) as an example, set origin header in http request as [evil-play-with-docker.com](http://evil-play-with-docker.com/), it will be echo in response header, which successfully bypass the CORS policy and retrieves basic user information. Patches It has been fixed in lastest version, Please upgrade to latest version Workarounds No, users have to upgrade version.

How to fix CVE-2023-28109

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-28109 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-28109
PATCHgithub.com/play-with-docker/play-with-docker
WEBgithub.com/play-with-docker/play-with-docker/commit/ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a
WEBgithub.com/play-with-docker/play-with-docker/security/advisories/GHSA-vq59-5x26-h639