VYPR
← All advisories
Unrated severityNVD Advisory· Published May 30, 2018· Updated Aug 5, 2024

CVE-2018-10995

CVE-2018-10995

Description

Slurm before 17.02.11 and 17.11.7 mishandles user names and group IDs, potentially allowing privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Slurm before 17.02.11 and 17.11.7 mishandles user names and group IDs, potentially allowing privilege escalation.

Vulnerability

SchedMD Slurm versions prior to 17.02.11 and 17.11.x before 17.11.7 mishandle user name (user_name) and group ID (gid) fields in job requests [2]. This flaw resides in the job submission and processing logic, where the gid field is not securely validated, allowing an attacker to specify arbitrary group identifiers.

Exploitation

An attacker with the ability to submit jobs to a Slurm cluster can exploit this vulnerability by crafting a job request with a malicious gid field [2]. No additional authentication or special privileges are required beyond standard job submission access. The attacker must be able to connect to the Slurm controller and submit a job with a crafted gid.

Impact

Successful exploitation could allow an attacker to run jobs with an arbitrary group ID, potentially gaining unauthorized access to resources or privileges not normally available to their user account [2]. This could lead to privilege escalation within the Slurm environment, enabling the attacker to execute tasks as a different group or access restricted data.

Mitigation

The vulnerability is fixed in Slurm versions 17.02.11 and 17.11.7, released on May 30, 2018 [2]. Users should upgrade to these or later versions. No workarounds are documented; the only resolution is to apply the patch or upgrade. SchedMD also notes that similar vulnerabilities likely affect older, unsupported releases, so upgrading to a supported fixed version is strongly recommended [2].

References
  1. [slurm-announce] Slurm versions 17.02.11 and 17.11.7 are now available (CVE-2018-10995)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

14

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The system mishandles user names and group IDs, allowing for improper validation."

Attack vector

An attacker can exploit this vulnerability by providing specially crafted user names and group IDs. The system's failure to properly validate these fields allows for unintended behavior. This could potentially lead to privilege escalation or unauthorized access within the Slurm environment. The exact attack vector depends on how these fields are processed in downstream operations.

Affected code

The vulnerability lies in the handling of user names (user_name fields) and group IDs (gid fields) within the SchedMD Slurm software. The specific code paths or functions responsible for processing these fields are not explicitly detailed in the provided release notes, but the fixes indicate that the core logic for user and group management was affected.

What the fix does

The patch addresses the vulnerability by improving the validation and handling of user names and group IDs. Specific changes are not detailed in the provided release notes, but the fixes aim to prevent the improper processing of these fields. This ensures that the system correctly interprets and enforces security policies related to user and group information, thereby closing the vulnerability.

Preconditions

  • configAffected versions of SchedMD Slurm are installed.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.