Bug 2254495 (CVE-2023-49938)

Summary: CVE-2023-49938 slurm: incorrect access control
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2254496    
Bug Blocks:    

Description ybuenos 2023-12-14 09:20:05 UTC 
An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7.

https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html
https://www.schedmd.com/security-archive.php
Comment 1 ybuenos 2023-12-14 09:20:17 UTC 
Created slurm tracking bugs for this issue:

Affects: fedora-all [bug 2254496]