CVE-2023-34047
Summary
| CVE | CVE-2023-34047 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-09-20 10:15:00 UTC |
| Updated | 2023-10-18 18:04:00 UTC |
| Description | A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Spring | Spring | All | All | All | All |
| Application | Spring | Spring | All | All | All | All |
| Application | Vmware | Spring For Graphql | All | All | All | All |
| Application | Vmware | Spring For Graphql | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2023-34047: Exposure of data and identity to wrong session in Spring for GraphQL | MISC | spring.io | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 995343 Java (Maven) Security Update for org.springframework.graphql:spring-graphql (GHSA-frqc-f2h8-fjvf)