VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2021· Updated Aug 3, 2024

CVE-2021-31215

CVE-2021-31215

Description

In Slurm before 20.02.7 and 20.11.7, mishandling of environment variables in PrologSlurmctld or EpilogSlurmctld scripts allows remote code execution as SlurmUser.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Slurm before 20.02.7 and 20.11.7, mishandling of environment variables in PrologSlurmctld or EpilogSlurmctld scripts allows remote code execution as SlurmUser.

Vulnerability

SchedMD Slurm versions before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 are vulnerable to remote code execution due to environment mishandling when using a PrologSlurmctld or EpilogSlurmctld script [2]. The issue allows an attacker to manipulate environment variables to execute arbitrary commands as the SlurmUser.

Exploitation

An attacker must have the ability to submit a job that triggers the execution of a PrologSlurmctld or EpilogSlurmctld script. By crafting specific environment variables, the attacker can cause the script to run arbitrary commands. No authentication is specified; any user with job submission rights can exploit this.

Impact

Successful exploitation allows remote code execution as the SlurmUser account, which typically has elevated privileges on the Slurm cluster. This can lead to full compromise of the Slurm controller and potentially other nodes.

Mitigation

The vulnerability is fixed in Slurm versions 20.02.7 and 20.11.7, released on May 12, 2021 [2]. Users should upgrade to these versions or later. As a workaround, ensure that PrologSlurmctld and EpilogSlurmctld scripts are not used or are properly secured.

References
  1. [slurm-announce] Slurm versions 20.11.7 and 20.02.7 are now available (CVE-2021-31215)

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

22

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Environment mishandling when PrologSlurmctld or EpilogSlurmctld scripts are used allows an attacker to influence environment variables and achieve remote code execution as SlurmUser."

Attack vector

An attacker who can submit a job to a Slurm cluster can exploit environment mishandling when a PrologSlurmctld or EpilogSlurmctld script is executed [ref_id=1]. By crafting job submission parameters that influence the environment variables passed to these scripts, the attacker can achieve remote code execution as the SlurmUser. The attack requires the cluster to have PrologSlurmctld or EpilogSlurmctld scripts configured.

Affected code

The vulnerability affects SchedMD Slurm versions before 20.02.7 and 20.03.x through 20.11.x before 20.11.7. The advisory states that the issue arises because "use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling."

What the fix does

The advisory does not include a specific patch diff, but the fix is included in Slurm versions 20.02.7 and 20.11.7 [ref_id=1]. The remediation addresses the environment mishandling that occurs when PrologSlurmctld or EpilogSlurmctld scripts are used, preventing untrusted environment variables from being passed to these scripts and thereby closing the remote code execution vector.

Preconditions

  • configThe cluster must have PrologSlurmctld or EpilogSlurmctld scripts configured in slurm.conf
  • authThe attacker must be able to submit jobs to the Slurm cluster

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.