{
  "schema_version": "1.4.0",
  "id": "GHSA-vq59-5x26-h639",
  "modified": "2023-03-17T14:43:12Z",
  "published": "2023-03-17T14:43:12Z",
  "aliases": [
    "CVE-2023-28109"
  ],
  "summary": "Authorization Bypass Through User-Controlled Key play-with-docker",
  "details": "Impact\nGive that CORS configuration was not correct, an attacker could use [play-with-docker.com](http://play-with-docker.com/) as an example, set origin header in http request as  [evil-play-with-docker.com](http://evil-play-with-docker.com/), it will be echo in response header, which successfully bypass the CORS policy and retrieves basic user information.\n\nPatches\nIt has been fixed in lastest version, Please upgrade to latest version\n\nWorkarounds\nNo, users have to upgrade version.\n\n\n\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/play-with-docker/play-with-docker"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/play-with-docker/play-with-docker/security/advisories/GHSA-vq59-5x26-h639"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28109"
    },
    {
      "type": "WEB",
      "url": "https://github.com/play-with-docker/play-with-docker/commit/ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/play-with-docker/play-with-docker"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-17T14:43:12Z",
    "nvd_published_at": "2023-03-16T17:15:00Z"
  }
}