CVE-2025-43904

Name of the Vulnerable Software and Affected Versions Slurm versions 22.05, 23.02, 23.11.11, 24.05.8, and 24.11.5 are affected.

Description The issue is related to permission handling for Coordinators within the accounting system, allowing them to promote a user to Administrator. This is due to an issue with permission handling, which can be exploited by Coordinators. The vulnerability affects various versions of Slurm, including 22.05, 23.02, 23.11.11, 24.05.8, and 24.11.5.

Recommendations Update to version 24.11.5 or later to fix the security issue. For versions prior to 24.11.5, update to the latest available version to mitigate the risk. As a temporary workaround, consider restricting the privileges of Coordinators within the accounting system until a patch is available. Restrict access to the vulnerable slurmrestd API endpoints, such as GET /slurm/v0.0.40/jobs/state/, GET /slurm/v0.0.41/jobs/state/, and GET /slurm/v0.0.42/jobs/state/, to minimize the risk of exploitation.