VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 11, 2019· Updated Aug 4, 2024

CVE-2019-12838

CVE-2019-12838

Description

SQL injection in SchedMD Slurm's sacctmgr archive load allows authenticated users to execute arbitrary SQL commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in SchedMD Slurm's sacctmgr archive load allows authenticated users to execute arbitrary SQL commands.

Vulnerability

CVE-2019-12838 is a SQL injection vulnerability in SchedMD Slurm's sacctmgr archive load functionality. The flaw exists in versions 17.11.x, 18.08.0 through 18.08.7, and 19.05.0. An authenticated user with access to the sacctmgr command can inject malicious SQL statements via crafted input to the archive load operation [3].

Exploitation

An attacker must have valid credentials and the ability to run the sacctmgr archive load command. By supplying specially crafted parameters, the attacker can inject SQL commands that are executed against the Slurm accounting database. No additional privileges beyond standard sacctmgr access are required [3].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements on the underlying database. This can lead to unauthorized reading, modification, or deletion of accounting data, potentially compromising the integrity and confidentiality of job and user information. The attacker gains the same level of access as the database user configured for Slurm [3].

Mitigation

SchedMD released fixed versions 18.08.8 and 19.05.1 on July 10, 2019 [3]. Users should upgrade to these or later versions. For those unable to upgrade immediately, SchedMD provided a patch to customers upon request as of June 26, 2019. No workaround is documented; upgrading is the recommended action [3].

References
  1. [slurm-announce] Slurm versions 19.05.1 and 18.08.8 are now available (CVE-2019-12838)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

21

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper sanitization of user-supplied input in SQL query construction allows SQL Injection."

Attack vector

An attacker can exploit a SQL Injection vulnerability in Slurm by sending crafted input to the database-backed accounting commands (e.g., `sacctmgr`). The advisory does not detail the exact payload shape or network path, but SQL Injection typically allows an attacker to manipulate SQL queries by injecting malicious characters into user-supplied fields. This could lead to unauthorized data access, modification, or privilege escalation within the Slurm accounting database [ref_id=1].

Affected code

The advisory does not specify exact file paths or functions. The vulnerability exists in SchedMD Slurm versions 17.11.x, 18.08.0 through 18.08.7, and 19.05.0, and is described as a SQL Injection flaw. The affected code is likely within the database query construction logic used by `sacctmgr`, `slurmdbd`, or related accounting components, though the advisory does not name specific functions.

What the fix does

The advisory does not include a patch diff or specific remediation steps. The release notes page [ref_id=1] lists the affected versions but does not describe the fix. Users are advised to upgrade to a patched release beyond 19.05.0; however, no explicit fix details are published in the provided bundle.

Preconditions

  • inputThe attacker must be able to supply input to a Slurm command or API that constructs SQL queries (e.g., `sacctmgr` or `slurmdbd` queries).
  • configThe target Slurm deployment must be running one of the affected versions (17.11.x, 18.08.0–18.08.7, or 19.05.0) with database-backed accounting enabled.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.