CVE-2020-12693

Slurm 19.05.x before 19.05.7 and 20.02.x before 20.02.3, in the rare case where Message Aggregation is enabled, allows Authentication Bypass via an Alternate Path or Channel. A race condition allows a user to launch a process as an arbitrary user.

Published: May 22, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-12693
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
schedmd / slurm	20.02.0	20.02.3
schedmd / slurm	19.05.0	19.05.7
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
opensuse / leap	15.1	15.1.x
opensuse / leap	15.2	15.2.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00035.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00063.html
https://lists.debian.org/debian-lts-announce/2022/01/msg00011.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KNL5E5SK4WP6M3DKU4IKW2NPQD2XTZ4Y/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3RGQB3EWDLOLTSPAJPPWZEPQK3O3AUH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNL5E5SK4WP6M3DKU4IKW2NPQD2XTZ4Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3RGQB3EWDLOLTSPAJPPWZEPQK3O3AUH/
https://lists.schedmd.com/pipermail/slurm-announce/2020/000036.html
https://www.debian.org/security/2021/dsa-4841
https://www.schedmd.com/news.php?id=236

Vulnerability Database

CVE-2020-12693