CVE-2017-15566
Published: 1 November 2017
Insecure SPANK environment variable handling exists in SchedMD Slurm before 16.05.11, 17.x before 17.02.9, and 17.11.x before 17.11.0rc2, allowing privilege escalation to root during Prolog or Epilog execution.
Notes
| Author | Note |
|---|---|
| msalvatore | "This issue affects all Slurm versions from 15.08.0" |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
slurm-llnl Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
| bionic |
Not vulnerable
(17.11.2-1build1)
|
|
| cosmic |
Not vulnerable
(17.11.2-1build1)
|
|
| disco |
Not vulnerable
(17.11.2-1build1)
|
|
| eoan |
Does not exist
|
|
| focal |
Not vulnerable
(19.05.3.2-2)
|
|
| groovy |
Not vulnerable
(19.05.3.2-2)
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(16.05.11, 17.02.9, 17.11.0rc2)
|
|
| xenial |
Released
(15.08.7-1ubuntu0.1~esm3)
|
|
| zesty |
Ignored
(reached end-of-life)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |