CVE-2023-49935
HIGHSlurm 23.02.x-23.02.6 and 23.11.x < 23.11.1 - Unauthenticated Message Integrity Bypass via Token Reuse
Title source: llmDescription
An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.
References (6)
Core 6
Core References
Mailing List, Vendor Advisory
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html
Vendor Advisory
https://www.schedmd.com/security-archive.php
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
Scores
CVSS v3
8.8
EPSS
0.0104
EPSS Percentile
59.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-613
Status
published
Products (2)
schedmd/slurm
23.11 (2 CPE variants)
schedmd/slurm
23.02 - 23.02.7
Published
Dec 14, 2023
Tracked Since
Feb 18, 2026