CVE-2023-34047

Name of the Vulnerable Software and Affected Versions Spring for GraphQL versions 1.1.0 through 1.1.5 Spring for GraphQL versions 1.2.0 through 1.2.2

Description A batch loader function in Spring for GraphQL may be exposed to GraphQL context with values, including security context values, from a different session. This issue arises when an application provides a DataLoaderOptions instance while registering batch loader functions through DefaultBatchLoaderRegistry.

Recommendations For Spring for GraphQL versions 1.1.0 through 1.1.5, avoid providing a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry to prevent exposure to GraphQL context from different sessions. For Spring for GraphQL versions 1.2.0 through 1.2.2, avoid providing a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry to prevent exposure to GraphQL context from different sessions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.