CVE-2021-31215 - OpenCVE

SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Schedmd	Slurm
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:schedmd:slurm::::::::
	cpe:2.3:a:schedmd:slurm::::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

References

Link	Resource
https://lists.debian.org/debian-lts-announce/2022/01/msg00011.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ODMJQNY4FAV7G3DSKVIO5KY7Q7DKBPU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRHTASFAU5FNB2MJOG67YID2ONQS5MCQ/
https://lists.schedmd.com/pipermail/slurm-announce/2021/000055.html	Vendor Advisory
https://www.schedmd.com/news.php?id=248#OPT_248	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-13T05:51:41

Updated: 2022-01-17T21:06:29

Reserved: 2021-04-15T00:00:00

Link: CVE-2021-31215

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-13T06:15:07.180

Modified: 2023-11-07T03:34:55.523

Link: CVE-2021-31215

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-17T21:06:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.schedmd.com/news.php?id=248#OPT_248"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://lists.schedmd.com/pipermail/slurm-announce/2021/000055.html"}, {"name": "FEDORA-2021-335cd3eab7", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ODMJQNY4FAV7G3DSKVIO5KY7Q7DKBPU/"}, {"name": "FEDORA-2021-f75a803ff3", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRHTASFAU5FNB2MJOG67YID2ONQS5MCQ/"}, {"name": "[debian-lts-announce] 20220117 [SECURITY] [DLA 2886-1] slurm-llnl security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00011.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-31215", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.schedmd.com/news.php?id=248#OPT_248", "refsource": "CONFIRM", "url": "https://www.schedmd.com/news.php?id=248#OPT_248"}, {"name": "https://lists.schedmd.com/pipermail/slurm-announce/2021/000055.html", "refsource": "CONFIRM", "url": "https://lists.schedmd.com/pipermail/slurm-announce/2021/000055.html"}, {"name": "FEDORA-2021-335cd3eab7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ODMJQNY4FAV7G3DSKVIO5KY7Q7DKBPU/"}, {"name": "FEDORA-2021-f75a803ff3", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PRHTASFAU5FNB2MJOG67YID2ONQS5MCQ/"}, {"name": "[debian-lts-announce] 20220117 [SECURITY] [DLA 2886-1] slurm-llnl security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00011.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31215", "datePublished": "2021-05-13T05:51:41", "dateReserved": "2021-04-15T00:00:00", "dateUpdated": "2022-01-17T21:06:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schedmd:slurm:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C1AC3CB-9AD5-4C2F-8DD4-4A19B7CE1A6D", "versionEndExcluding": "20.02.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:schedmd:slurm:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E7D7C08-C766-4A51-9C98-A6A50856AF7B", "versionEndExcluding": "20.11.7", "versionStartIncluding": "20.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling."}, {"lang": "es", "value": "SchedMD Slurm versiones anteriores a 20.02.7 y versiones 20.03.xa 20.11.x anteriores a 20.11.7, permite una ejecuci\u00f3n de c\u00f3digo remota como SlurmUser porque el uso de un script PrologSlurmctld o EpilogSlurmctld conlleva a un manejo inapropiado del entorno"}], "id": "CVE-2021-31215", "lastModified": "2023-11-07T03:34:55.523", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-13T06:15:07.180", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00011.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ODMJQNY4FAV7G3DSKVIO5KY7Q7DKBPU/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRHTASFAU5FNB2MJOG67YID2ONQS5MCQ/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://lists.schedmd.com/pipermail/slurm-announce/2021/000055.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.schedmd.com/news.php?id=248#OPT_248"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}