Headline
GHSA-frqc-f2h8-fjvf: Spring for GraphQL may be exposed to GraphQL context with values from a different session
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-34047
Spring for GraphQL may be exposed to GraphQL context with values from a different session
Low severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023
Package
maven org.springframework.graphql:spring-graphql (Maven)
Affected versions
>= 1.1.0, < 1.1.6
>= 1.2.0, < 1.2.3
Patched versions
1.1.6
1.2.3
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-34047
- https://spring.io/security/cve-2023-34047
Published to the GitHub Advisory Database
Sep 20, 2023
Last updated
Sep 21, 2023
Related news
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.