VYPR
← All advisories
Unrated severityNVD Advisory· Published May 21, 2020· Updated Aug 4, 2024

CVE-2020-12693

CVE-2020-12693

Description

A race condition in Slurm's Message Aggregation feature allows authentication bypass, enabling a user to launch processes as an arbitrary user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in Slurm's Message Aggregation feature allows authentication bypass, enabling a user to launch processes as an arbitrary user.

Vulnerability

A race condition exists in Slurm's optional Message Aggregation subsystem when enabled via MsgAggregationParams=WindowMsgs= with `` greater than 1. This affects Slurm versions 19.05.x before 19.05.7 and 20.02.x before 20.02.3 [2]. The bug was discovered during a review of a cleanup patch and allows authentication bypass through an alternate path or channel.

Exploitation

An attacker must have a valid user account on the Slurm cluster and the system must have Message Aggregation enabled (which is off by default and not recommended). The race condition can be triggered to launch a process as an arbitrary user, including root if the attacker has the necessary privileges to submit jobs. No additional authentication is required beyond the initial user account.

Impact

Successful exploitation allows an attacker to execute arbitrary processes as any user on the system, leading to full compromise of the Slurm cluster and potential privilege escalation. This results in complete loss of confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed in Slurm versions 19.05.7 and 20.02.3, released on May 21, 2020 [2]. SchedMD customers received a patch on request on May 7, 2020. As a workaround, disable Message Aggregation by ensuring MsgAggregationParams is not set or set with WindowMsgs=1. The feature is not recommended and may be retired in a future release.

References
  1. [slurm-announce] Slurm versions 20.02.3 and 19.05.7 are now available (CVE-2020-12693)

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

19

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Race condition in Slurm's Message Aggregation feature allows authentication bypass via an alternate path or channel."

Attack vector

An attacker exploits a race condition in Slurm's Message Aggregation feature. When Message Aggregation is enabled, a race condition allows a user to launch a process as an arbitrary user, bypassing authentication [ref_id=1]. The attacker must have network access to the Slurm cluster and the ability to submit jobs or messages while Message Aggregation is active.

Affected code

The advisory [ref_id=1] states the bug affects Slurm 19.05.x before 19.05.7 and 20.02.x before 20.02.3 when Message Aggregation is enabled. The specific code paths are not named in the advisory, but the vulnerability involves an authentication bypass via an alternate path or channel in the message aggregation logic.

What the fix does

The advisory [ref_id=1] indicates the fix is to upgrade to Slurm 19.05.7 or 20.02.3 or later. No patch diff is provided in the bundle. The remediation closes the race condition in the Message Aggregation code path that allowed authentication bypass via an alternate channel.

Preconditions

  • configMessage Aggregation must be enabled in the Slurm configuration
  • networkAttacker must have network access to the Slurm cluster
  • inputAttacker must be able to submit jobs or messages to the cluster

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.