CVE-2023-34047 - Security Vulnerability in Spring for GraphQL's Batch Loader Function Leading to Data Leakage Between Sessions

In this post, we will be discussing a recently discovered vulnerability affecting the Spring for GraphQL framework that allows an attacker to gain access to sensitive data from other users' sessions. This vulnerability is assigned the identifier CVE-2023-34047 and affects Spring for GraphQL versions 1.1. - 1.1.5 and 1.2. - 1.2.2. If you are using Spring for GraphQL, you may be at risk and should take the necessary steps to mitigate this vulnerability.

The Vulnerability

The vulnerability CVE-2023-34047 is related to a batch loader function utilized within the Spring for GraphQL framework. This function is exposed to the GraphQL context and may leak security context values from one session to another, potentially compromising sensitive data within your application.

The issue exists when an application provides a DataLoaderOptions instance while registering batch loader functions through DefaultBatchLoaderRegistry. If an attacker can access the DataLoaderOptions in their session, they can potentially gain access to security-related data from other users' sessions.

Spring for GraphQL 1.2. - 1.2.2

Code Snippet Demonstrating the Vulnerability

An affected application is likely to use code similar to the following when registering batch loader functions:

DefaultBatchLoaderRegistry batchLoaderRegistry = new DefaultBatchLoaderRegistry();
DataLoaderOptions options = DataLoaderOptions.newOptions();
batchLoaderRegistry.register("myBatchLoader", () -> newBatchLoader(options));

An attacker, if they can access the DataLoaderOptions, may wrongly access context variables that belong to another session since the same options are used across different sessions.

Mitigation

To mitigate this vulnerability, you should stop using a single DataLoaderOptions instance while registering batch loader functions through DefaultBatchLoaderRegistry. Instead, follow the code snippet below as an example:

DefaultBatchLoaderRegistry batchLoaderRegistry = new DefaultBatchLoaderRegistry();
batchLoaderRegistry.register("myBatchLoader", () -> newBatchLoader(DataLoaderOptions.newOptions()));

By creating a new instance of DataLoaderOptions for each batch loader function, you can ensure that no loader instance is shared across sessions, thus preventing any potential leakage of user data or security context.

Original References and Further Information

To learn more about this vulnerability or follow its development, please consult the official sources below:

1. CVE-2023-34047 Official Information on MITRE
2. Spring for GraphQL Official Repository

Conclusion

In conclusion, CVE-2023-34047 is a serious security vulnerability present in certain versions of Spring for GraphQL. Users are strongly advised to address this issue by updating their codebase, ensuring a separate DataLoaderOptions instance is created for each batch loader function. This change will prevent any potential data leakage between users' sessions and improve the overall security of the application. Be sure to follow updates on the situation to remain protected.

Timeline

Published on: 09/20/2023 10:15:00 UTC
Last modified on: 10/18/2023 18:04:00 UTC