CVE-2024-48936

NameCVE-2024-48936
DescriptionSchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running with --stepmgr, or on systems that have globally enabled stepmgr via SlurmctldParameters=enable_stepmgr in their configuration.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1086003

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
slurm-wlm (PTS)bullseye (security), bullseye20.11.7+really20.11.4-2+deb11u1fixed
bookworm, bookworm (security)22.05.8-4+deb12u2fixed
sid, trixie24.05.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
slurm-wlmsourcebullseye(not affected)
slurm-wlmsourcebookworm(not affected)
slurm-wlmsource(unstable)24.05.4-11086003

Notes

[bookworm] - slurm-wlm <not-affected> (Vulnerable code introduced later)
[bullseye] - slurm-wlm <not-affected> (Vulnerable code introduced later)
https://www.schedmd.com/slurm-version-24-05-4-is-now-available/
Isolated Job Step management introduced in 24.05.

Search for package or bug name: Reporting problems