Authorization Bypass Through User-Controlled Key play-with-docker
Moderate severity
GitHub Reviewed
Published
Mar 16, 2023
in
play-with-docker/play-with-docker
•
Updated Mar 17, 2023
Package
Affected versions
<= 0.0.2
Patched versions
None
Description
Published by the National Vulnerability Database
Mar 16, 2023
Published to the GitHub Advisory Database
Mar 17, 2023
Reviewed
Mar 17, 2023
Last updated
Mar 17, 2023
Credits
-
cokeBeer Reporter
Impact
Give that CORS configuration was not correct, an attacker could use play-with-docker.com as an example, set origin header in http request as evil-play-with-docker.com, it will be echo in response header, which successfully bypass the CORS policy and retrieves basic user information.
Patches
It has been fixed in lastest version, Please upgrade to latest version
Workarounds
No, users have to upgrade version.
References