Main Vulnerability Database Vulnerabilities #VU37992

#VU37992 Untrusted search path in Slurm - CVE-2017-15566

Published: November 1, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU37992

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-15566

CWE-ID: CWE-426

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Slurm

Software vendor:
SchedMD

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

Insecure SPANK environment variable handling exists in SchedMD Slurm before 16.05.11, 17.x before 17.02.9, and 17.11.x before 17.11.0rc2, allowing privilege escalation to root during Prolog or Epilog execution.

Remediation

Install update from vendor's website.

External links

http://www.securityfocus.com/bid/101675
https://www.debian.org/security/2017/dsa-4023
https://www.schedmd.com/news.php?id=193#OPT_193