Headline
CVE-2023-34047: CVE-2023-34047: Exposure of data and identity to wrong session in Spring for GraphQL
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.
Description
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.
Affected Spring Products and Versions
- Spring for GraphQL 1.1.0 - 1.1.5
- Spring for GraphQL 1.2.0 - 1.2.2
Older versions are not affected.
Mitigation
Users of affected versions should upgrade to the following versions:
- 1.1.x should upgrade to 1.1.6
- 1.2.x should upgrade to 1.2.3
Credit
The issue was reported by Jack Rowland.
References
- https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N&version=3.1
Related news
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.