A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptionsĀ instance when registering batch loader functions through DefaultBatchLoaderRegistry.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Spring_for_graphql | Vmware | 1.1.0 (including) | 1.1.5 (including) |
Spring_for_graphql | Vmware | 1.2.0 (including) | 1.2.2 (including) |