An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. Because of a double free, attackers can cause a denial of service or possibly execute arbitrary code. The fixed versions are 22.05.11, 23.02.7, and 23.11.1.
The vulnerability consists of a double free of the same memory area (double free), which is a classic memory management error. An attacker can exploit this mechanism to corrupt the process heap (heap corruption), which in turn opens a path to arbitrary code execution or service destabilization. The attack requires no authentication or user interaction and is possible over the network.
An attacker can cause system failure (DoS) or execute arbitrary code on a vulnerable Slurm server, potentially gaining full control over it.
SchedMD Slurm should be updated to version 22.05.11, 23.02.7 or 23.11.1, depending on the branch in use. Patches are available from the vendor and in distribution repositories (including Fedora).
SchedMD Slurm in versions 22.05.x, 23.02.x and 23.11.x (prior to patches).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSchedmd Slurm
APPSchedmd23.1122.05 – 22.05.12 (bez)23.02 – 23.02.7 (bez)
Related vulnerabilities
SQL Injection w SchedMD Slurm 23.11.x przeciwko bazie SlurmDBD
SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Escalation of Privileges.
Slurm before 19.05.8 and 20.x before 20.02.6 has an RPC Buffer Overflow in the PMIx MPI plugin.
SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL Injection.
SchedMD Slurm before 17.11.13 and 18.x before 18.08.5 mishandles 32-bit systems.