CVE-2023-49935

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-49935
An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html Mailing List Vendor Advisory
https://www.schedmd.com/security-archive.php Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:schedmd:slurm:*:*:*:*:*:*:*:*
cpe:2.3:a:schedmd:slurm:23.11:-:*:*:*:*:*:*
cpe:2.3:a:schedmd:slurm:23.11:rc1:*:*:*:*:*:*
History

03 Jan 2024, 03:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/ -

20 Dec 2023, 18:47

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en SchedMD Slurm 23.02.x y 23.11.x. Hay un control de acceso incorrecto debido a una omisión de integridad de mensajes lenta. Un atacante puede reutilizar tokens de autenticación de nivel raíz durante la interacción con el proceso slurmd. Esto omite los hashes de mensajes RPC que protegen contra la reutilización no deseada de credenciales MUNGE. Las versiones fijas son 23.02.7 y 23.11.1.
CPE cpe:2.3:a:schedmd:slurm:23.11:-:*:*:*:*:*:*
cpe:2.3:a:schedmd:slurm:*:*:*:*:*:*:*:*
cpe:2.3:a:schedmd:slurm:23.11:rc1:*:*:*:*:*:*
First Time Schedmd
Schedmd slurm
CWE CWE-613
References () https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html - () https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html - Mailing List, Vendor Advisory
References () https://www.schedmd.com/security-archive.php - () https://www.schedmd.com/security-archive.php - Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8

14 Dec 2023, 05:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-14 05:15

Updated : 2024-01-03 03:15

NVD link : CVE-2023-49935

Mitre link : CVE-2023-49935

CVE.ORG link : CVE-2023-49935

JSON object : View

Products Affected

schedmd

  • slurm
CWE
CWE-613

Insufficient Session Expiration