CVE-2021-43337
Description
SchedMD Slurm 21.08.* before 21.08.4 has incorrect access control in SlurmDBD, allowing users to request job scripts and environment files they should not have access to when AccountingStoreFlags=job_script or job_env are enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SchedMD Slurm 21.08.* before 21.08.4 has incorrect access control in SlurmDBD, allowing users to request job scripts and environment files they should not have access to when AccountingStoreFlags=job_script or job_env are enabled.
Vulnerability
SchedMD Slurm versions 21.08.0 through 21.08.3 are affected by an incorrect access control vulnerability in the SlurmDBD component when the AccountingStoreFlags=job_script and/or AccountingStoreFlags=job_env options are enabled. The vulnerability allows users to request job scripts and environment files that they should not have access to [1][3]. Only the 21.08 release series is affected; Slurm 20.11 and older releases are not vulnerable [3].
Exploitation
An attacker must be a legitimate user of a Slurm cluster that has enabled the AccountingStoreFlags=job_script and/or job_env options. The attacker can then make requests to SlurmDBD to retrieve job scripts and environment files belonging to other users, without needing administrative privileges or being an account coordinator [3]. The exact steps are not detailed in the available references, but the incorrect access control rules allow the attacker to bypass intended restrictions.
Impact
Successful exploitation allows an authenticated user to obtain sensitive information from other users' jobs, specifically job scripts and environment files. This can leak confidential data such as embedded passwords, proprietary algorithms, or other sensitive configurations. The attacker gains unauthorized read access to data that should be restricted to administrator privileges, account coordinators, or the submitting user themselves [3].
Mitigation
The vulnerability is fixed in Slurm version 21.08.4, released on November 16, 2021 [1][3]. Sites using the affected AccountingStoreFlags options should upgrade to 21.08.4 or later. SchedMD customers were notified on November 2, 2021, and could obtain a fix on request prior to the public release [3]. No workarounds are mentioned in the available references; disabling the AccountingStoreFlags=job_script and job_env options would prevent exposure but may be required for certain site needs. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
38- SchedMD/Slurmdescription
- osv-coords36 versionspkg:rpm/opensuse/pdsh&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/pdsh&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/pdsh_slurm_20_02&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/pdsh_slurm_20_02&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/pdsh_slurm_20_11&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/pdsh_slurm_20_11&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/pdsh_slurm_22_05&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/pdsh_slurm_22_05&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/slurm_22_05&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/slurm_22_05&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3pkg:rpm/suse/pdsh&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP4pkg:rpm/suse/pdsh_slurm_18_08&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/pdsh_slurm_20_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/pdsh_slurm_20_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/pdsh_slurm_20_02&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/pdsh_slurm_20_11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/pdsh_slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/pdsh_slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/pdsh_slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/pdsh_slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/pdsh_slurm_22_05&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/pdsh_slurm_22_05&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3pkg:rpm/suse/pdsh_slurm_22_05&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP4pkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3pkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP4
< 2.34-150300.35.2+ 35 more
- (no CPE)range: < 2.34-150300.35.2
- (no CPE)range: < 2.34-150300.35.2
- (no CPE)range: < 2.34-150100.10.14.1
- (no CPE)range: < 2.34-150100.10.14.1
- (no CPE)range: < 2.34-150200.4.6.2
- (no CPE)range: < 2.34-150200.4.6.2
- (no CPE)range: < 2.34-150300.35.2
- (no CPE)range: < 2.34-150300.35.2
- (no CPE)range: < 22.05.5-150300.7.3.2
- (no CPE)range: < 22.05.5-150300.7.3.2
- (no CPE)range: < 2.34-150100.10.14.1
- (no CPE)range: < 2.34-150100.10.14.1
- (no CPE)range: < 2.34-150200.4.6.2
- (no CPE)range: < 2.34-150200.4.6.2
- (no CPE)range: < 2.34-7.35.2
- (no CPE)range: < 2.34-150300.35.2
- (no CPE)range: < 2.34-150300.35.2
- (no CPE)range: < 2.34-7.35.3
- (no CPE)range: < 2.34-150100.10.14.1
- (no CPE)range: < 2.34-150100.10.14.1
- (no CPE)range: < 2.34-7.35.3
- (no CPE)range: < 2.34-7.35.3
- (no CPE)range: < 2.34-150100.10.14.1
- (no CPE)range: < 2.34-150100.10.14.1
- (no CPE)range: < 2.34-150200.4.6.2
- (no CPE)range: < 2.34-150200.4.6.2
- (no CPE)range: < 2.34-7.35.5
- (no CPE)range: < 2.34-150300.35.2
- (no CPE)range: < 2.34-150300.35.2
- (no CPE)range: < 22.05.5-150100.3.3.1
- (no CPE)range: < 22.05.5-150100.3.3.1
- (no CPE)range: < 22.05.5-150200.5.3.2
- (no CPE)range: < 22.05.5-150200.5.3.2
- (no CPE)range: < 22.05.5-3.3.5
- (no CPE)range: < 22.05.5-150300.7.3.2
- (no CPE)range: < 22.05.5-150300.7.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incorrect access control in SlurmDBD allows users to request job scripts and environment files belonging to other users when AccountingStoreFlags=job_script and/or job_env are enabled."
Attack vector
An authenticated Slurm user can request job scripts or environment files belonging to other users via SlurmDBD. The bug is triggered when the site has enabled `AccountingStoreFlags=job_script` and/or `job_env` in the Slurm configuration [ref_id=1]. The advisory indicates that the existing access control rules in SlurmDBD are insufficient to prevent such cross-user requests, leading to unauthorized disclosure of job scripts and environment variables [ref_id=1]. No network-level preconditions beyond normal Slurm API access are described.
Affected code
The vulnerability resides in SlurmDBD's access control logic when `AccountingStoreFlags=job_script` and/or `job_env` are enabled. The advisory states that "the access control rules in SlurmDBD may permit users to request job scripts and environment files to which they should not have access" [ref_id=1]. The patch does not show the specific code paths, but the issue affects SchedMD Slurm 21.08.* before 21.08.4.
What the fix does
The advisory does not include a patch diff, but the fix is delivered in Slurm 21.08.4 [ref_id=1]. The release notes indicate that the access control rules in SlurmDBD were corrected to properly enforce authorization when `AccountingStoreFlags=job_script` and/or `job_env` are used. Without the patch, users could request job scripts and environment files they should not have access to; the fix ensures that SlurmDBD checks the requesting user's permissions before returning these stored artifacts.
Preconditions
- configThe Slurm site must have `AccountingStoreFlags=job_script` and/or `job_env` enabled in the Slurm configuration.
- authThe attacker must be an authenticated Slurm user able to submit requests to SlurmDBD.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VY34WSSPRPA6MISNYBZWHSGX2SYSEEE/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUWNGDQTS7AWFI7FIHUWQOYJSD2IQTCG/mitrevendor-advisoryx_refsource_FEDORA
- lists.schedmd.com/pipermail/slurm-announce/mitrex_refsource_MISC
- lists.schedmd.com/pipermail/slurm-announce/2021/000068.htmlmitrex_refsource_CONFIRM
- www.schedmd.com/news.phpmitrex_refsource_MISC
- www.schedmd.com/news.phpmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.