Lucene search

GitHub Advisory DatabaseGHSA-VQ59-5X26-H639

HistoryMar 17, 2023 - 2:43 p.m.

Authorization Bypass Through User-Controlled Key play-with-docker

2023-03-1714:43:12

CWE-639

GitHub Advisory Database

github.com

authorization bypass

user-controlled key

play-with-docker

cors configuration

http request

response header

security patch

upgrade.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

56.4%

JSON

Impact
Give that CORS configuration was not correct, an attacker could use play-with-docker.com as an example, set origin header in http request as evil-play-with-docker.com, it will be echo in response header, which successfully bypass the CORS policy and retrieves basic user information.

Patches
It has been fixed in lastest version, Please upgrade to latest version

Workarounds
No, users have to upgrade version.

Affected configurations

Vulners

Node

play-with-dockerplay_with_dockerRange≤0.0.2

CPENameOperatorVersion
github.com/play-with-docker/play-with-dockerle0.0.2

CPE	Name	Operator	Version
	github.com/play-with-docker/play-with-docker	le	0.0.2

References

github.com/advisories/GHSA-vq59-5x26-h639

github.com/play-with-docker/play-with-docker/commit/ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a

github.com/play-with-docker/play-with-docker/security/advisories/GHSA-vq59-5x26-h639

nvd.nist.gov/vuln/detail/CVE-2023-28109

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

56.4%

JSON

Related for GHSA-VQ59-5X26-H639