DescriptionAn issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x before 9.0.10, and 9.1.x before 9.6.0. When a user authenticates to an HTCondor daemon via the CLAIMTOBE method, the user can then impersonate any entity when issuing additional commands to that daemon.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs1008634

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
condor (PTS)stretch8.4.11~dfsg.1-1vulnerable
stretch (security)8.4.11~dfsg.1-1+deb9u2fixed
buster, sid8.6.8~dfsg.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (V8_8_16) (V8_8_16)

Search for package or bug name: Reporting problems