CVE-2023-34047 LOW

CVE-2023-34047: Exposure of data and identity to wrong session in Spring for GraphQL

Vendor Spring
Product Spring for GraphQL
Published September 20, 2023
Last update September 24, 2024

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.

Key dates

02Disclosure timeline

September 20, 2023 CVE published
September 24, 2024 Record updated