CVE-2023-49938 | Vulnerability Database | Aqua Security

An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7.

Affected Software

Name	Vendor	Start Version	End Version
Slurm	Schedmd	22.05.0 (including)	22.05.11 (excluding)
Slurm	Schedmd	23.02.0 (including)	23.02.7 (excluding)
Slurm-llnl	Ubuntu	bionic	*
Slurm-llnl	Ubuntu	focal	*
Slurm-llnl	Ubuntu	trusty	*
Slurm-llnl	Ubuntu	trusty/esm	*
Slurm-llnl	Ubuntu	xenial	*
Slurm-wlm	Ubuntu	bionic	*
Slurm-wlm	Ubuntu	esm-apps/jammy	*
Slurm-wlm	Ubuntu	jammy	*
Slurm-wlm	Ubuntu	lunar	*
Slurm-wlm	Ubuntu	mantic	*
Slurm-wlm	Ubuntu	oracular	*
Slurm-wlm	Ubuntu	trusty	*
Slurm-wlm	Ubuntu	upstream	*
Slurm-wlm	Ubuntu	xenial	*

References

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html
https://www.schedmd.com/security-archive.php
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html
https://www.schedmd.com/security-archive.php

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49938
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html