CVE-2022-26110

NameCVE-2022-26110
DescriptionAn issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x before 9.0.10, and 9.1.x before 9.6.0. When a user authenticates to an HTCondor daemon via the CLAIMTOBE method, the user can then impersonate any entity when issuing additional commands to that daemon.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2984-1, DSA-5144-1
Debian Bugs1008634

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
condor (PTS)buster, buster (security)8.6.8~dfsg.1-2+deb10u1fixed
sid, trixie23.4.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
condorsourcestretch8.4.11~dfsg.1-1+deb9u2DLA-2984-1
condorsourcebuster8.6.8~dfsg.1-2+deb10u1DSA-5144-1
condorsource(unstable)23.2.0+dfsg-11008634

Notes

https://htcondor.org/security/vulnerabilities/HTCONDOR-2022-0003
https://github.com/htcondor/htcondor/commit/1cae7601d796725e7f5dd73fedf37f6fbbe379ca (V8_8_16)
https://github.com/htcondor/htcondor/commit/8568e8ba65c9490f30a1089b6d4f8910e4bfbd6b (V8_8_16)

Search for package or bug name: Reporting problems