CVE-2018-7033
Description
SQL injection in SlurmDBD due to unsanitized user input allows accounting data loss or privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in SlurmDBD due to unsanitized user input allows accounting data loss or privilege escalation.
Vulnerability
SchedMD Slurm versions before 17.02.10 and 17.11.x before 17.11.5 contain an SQL injection vulnerability in the SlurmDBD component. The flaw stems from incomplete sanitization of user-provided text strings, which are passed to database queries without proper escaping. This issue affects all SlurmDBD implementations back to Slurm 1.3, when the database daemon was introduced [2].
Exploitation
An attacker with the ability to supply crafted input to SlurmDBD—for example, through job submission commands or other interfaces that relay user strings to the database—can exploit the missing sanitization to inject arbitrary SQL statements. No special privileges beyond normal user access to the Slurm cluster are required, though network access to the SlurmDBD service is necessary [2].
Impact
Successful exploitation can lead to loss or corruption of accounting data, as well as escalation of user privileges on the cluster. The attacker may read, modify, or delete sensitive accounting records and potentially gain administrative control over Slurm resources [2].
Mitigation
Fixed versions 17.02.10 and 17.11.5 were released on March 15, 2018 [2]. Users should upgrade immediately. If upgrading is not possible, the only safe mitigation is to disable the slurmdbd service entirely. No other workarounds are available [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- osv-coords12 versionspkg:rpm/opensuse/slurm&distro=openSUSE%20Tumbleweedpkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015pkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP1pkg:rpm/suse/pdsh_slurm_18_08&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/pdsh_slurm_20_02&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/pdsh_slurm_20_11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_18_08&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_18_08&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015pkg:rpm/suse/slurm_20_02&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_20_11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012
< 21.08.1-1.1+ 11 more
- (no CPE)range: < 21.08.1-1.1
- (no CPE)range: < 2.33-7.18.1
- (no CPE)range: < 2.33-7.6.1
- (no CPE)range: < 2.33-7.6.1
- (no CPE)range: < 2.34-7.26.2
- (no CPE)range: < 2.34-7.26.2
- (no CPE)range: < 2.34-7.32.1
- (no CPE)range: < 18.08.9-3.5.1
- (no CPE)range: < 18.08.9-1.5.2
- (no CPE)range: < 20.02.3-3.5.1
- (no CPE)range: < 20.11.4-3.5.1
- (no CPE)range: < 17.02.10-6.16.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The SlurmDBD component does not properly sanitize user-supplied input before incorporating it into SQL queries."
Attack vector
An attacker can send specially crafted requests to the SlurmDBD service, which processes these requests without adequate validation. This allows the attacker to inject malicious SQL code into queries, leading to unauthorized data access or modification within the Slurm database. The vulnerability specifically targets the SlurmDBD component, which is responsible for accounting and database operations [ref_id=1].
Affected code
The vulnerability resides within the SlurmDBD component of SchedMD Slurm. Specifically, the code responsible for handling requests and constructing SQL queries is susceptible to injection attacks. The advisory does not specify exact file paths or function names, but it points to the SlurmDBD's interaction with its database as the vulnerable area [ref_id=1].
What the fix does
The advisory indicates that versions prior to 17.02.10 and 17.11.5 are affected. While specific patch details are not provided, the fix likely involves implementing robust input validation and parameterized queries within the SlurmDBD component to prevent SQL injection. This ensures that user-supplied data is treated as literal values rather than executable SQL code [ref_id=1].
Preconditions
- configSlurmDBD must be enabled and running.
- authThe attacker needs to be able to send requests to the SlurmDBD service.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.debian.org/security/2018/dsa-4254mitrevendor-advisoryx_refsource_DEBIAN
- lists.debian.org/debian-lts-announce/2018/04/msg00032.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2018/07/msg00029.htmlmitremailing-listx_refsource_MLIST
- lists.schedmd.com/pipermail/slurm-announce/2018/000006.htmlmitrex_refsource_CONFIRM
- www.schedmd.com/news.phpmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.