CVE-2023-28109: 
vulnerability analysis and mitigation

Play With Docker, a browser-based Docker playground, was found to contain a domain hijacking vulnerability in versions 0.0.2 and prior. The vulnerability was discovered on March 16, 2023, and was assigned CVE-2023-28109. The issue affected the CORS (Cross-Origin Resource Sharing) configuration of the application (GitHub Advisory, NVD).

The vulnerability stems from incorrect CORS configuration that allowed attackers to bypass domain validation. An attacker could set the origin header in an HTTP request to a malicious domain (e.g., 'evil-play-with-docker.com') while targeting play-with-docker.com. The server would echo this origin in the response header, successfully bypassing the CORS policy. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (GitHub Advisory).

The successful exploitation of this vulnerability could allow attackers to retrieve basic user information from the application. The vulnerability primarily affects the confidentiality of user data, with no direct impact on system integrity or availability (NVD).

The vulnerability has been fixed in commit ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a. Users are strongly advised to upgrade to the latest version as there are no known workarounds for this vulnerability (GitHub Patch).