Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-frqc-f2h8-fjvf: Spring for GraphQL may be exposed to GraphQL context with values from a different session

A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.

ghsa
#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-34047

Spring for GraphQL may be exposed to GraphQL context with values from a different session

Low severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

Package

maven org.springframework.graphql:spring-graphql (Maven)

Affected versions

>= 1.1.0, < 1.1.6

>= 1.2.0, < 1.2.3

Patched versions

1.1.6

1.2.3

A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2023-34047
  • https://spring.io/security/cve-2023-34047

Published to the GitHub Advisory Database

Sep 20, 2023

Last updated

Sep 21, 2023

Related news

CVE-2023-34047: CVE-2023-34047: Exposure of data and identity to wrong session in Spring for GraphQL

A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.

ghsa: Latest News

GHSA-x52f-h5g4-8qv5: Marp Core allows XSS by improper neutralization of HTML sanitization