CVE-2023-34047: Exposure of data and identity to wrong session in Spring for GraphQL

LOW | SEPTEMBER 19, 2023 | CVE-2023-34047

Description

A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.

Affected Spring Products and Versions

  • Spring for GraphQL 1.1.0 - 1.1.5
  • Spring for GraphQL 1.2.0 - 1.2.2

Older versions are not affected.

Mitigation

Users of affected versions should upgrade to the following versions:

  • 1.1.x should upgrade to 1.1.6
  • 1.2.x should upgrade to 1.2.3

Credit

The issue was reported by Jack Rowland.

References

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all