First published: Wed Sep 20 2023(Updated: )
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.
Credit: security@vmware.com security@vmware.com security@vmware.com
Affected Software | Affected Version | How to fix |
---|---|---|
Vmware Spring For Graphql | >=1.1.0<=1.1.5 | |
Vmware Spring For Graphql | >=1.2.0<=1.2.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-34047 is low with a severity value of 3.1.
Versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 of Spring for GraphQL are affected by CVE-2023-34047.
CVE-2023-34047 is a vulnerability where a batch loader function in Spring for GraphQL may expose values from a different session.
To fix CVE-2023-34047, update to version 1.1.6 or higher for versions 1.1.0 - 1.1.5, and update to version 1.2.3 or higher for versions 1.2.0 - 1.2.2 of Spring for GraphQL.
You can find more information about CVE-2023-34047 at the following references: [1] https://spring.io/security/cve-2023-34047, [2] https://nvd.nist.gov/vuln/detail/CVE-2023-34047, [3] https://github.com/advisories/GHSA-frqc-f2h8-fjvf.