CVE-2024-48936

Name of the Vulnerable Software and Affected Versions SchedMD Slurm versions prior to 24.05.4

Description A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This issue is limited to jobs explicitly running with --stepmgr, or on systems that have globally enabled stepmgr via SlurmctldParameters=enable stepmgr in their configuration.

Recommendations For versions prior to 24.05.4, update to version 24.05.4 or later to resolve the issue. As a temporary workaround, consider disabling the stepmgr functionality until a patch is available. Restrict access to jobs running with --stepmgr to minimize the risk of exploitation. Avoid globally enabling stepmgr via SlurmctldParameters=enable stepmgr in the configuration until the issue is resolved.