CVE-2023-49938
Description
In SchedMD Slurm 22.05.x and 23.02.x, an attacker can modify their extended group list used with the sbcast subsystem to open files with unauthorized extended groups.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In SchedMD Slurm 22.05.x and 23.02.x, an attacker can modify their extended group list used with the sbcast subsystem to open files with unauthorized extended groups.
Vulnerability
An issue was discovered in SchedMD Slurm versions 22.05.x and 23.02.x [1]. The vulnerability resides in incorrect access control within the sbcast subsystem, allowing an attacker to modify their extended group list [1]. This manipulation causes file operations to be performed with an unauthorized set of extended groups [1]. The affected versions are 22.05.x (prior to 22.05.11) and 23.02.x (prior to 23.02.7) [1].
Exploitation
An attacker must have the ability to modify their own extended group list within the Slurm environment [1]. The attacker then uses this modified list when interacting with the sbcast subsystem, which opens files using the attacker-controlled extended group list rather than the correct set [1]. No authentication bypass or network position exploitation is required beyond standard user access.
Impact
A successful attack allows the attacker to open files with an unauthorized set of extended groups [1]. This can lead to unauthorized access to files that should be restricted, potentially resulting in information disclosure or unauthorized file operations [1]. The exact impact depends on the specific extended group memberships an attacker can claim.
Mitigation
The fixed versions are Slurm 22.05.11 and 23.02.7, released on December 13, 2023 [1][4]. SchedMD recommends upgrading to the patched versions and restarting the affected daemons [1]. No workarounds are available; patching is the only mitigation [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27- osv-coords25 versionspkg:rpm/opensuse/slurm_20_02&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/slurm_20_11&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/slurm_22_05&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/slurm&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/slurm_18_08&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_20_02&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_20_11&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/slurm_20_11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP5pkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5
< 20.02.7-150100.3.30.1+ 24 more
- (no CPE)range: < 20.02.7-150100.3.30.1
- (no CPE)range: < 20.11.9-150200.6.16.1
- (no CPE)range: < 22.05.11-150300.7.9.1
- (no CPE)range: < 23.02.7-150500.5.15.1
- (no CPE)range: < 18.08.9-3.23.1
- (no CPE)range: < 20.02.7-3.20.1
- (no CPE)range: < 20.11.9-150200.6.16.1
- (no CPE)range: < 20.11.9-3.19.1
- (no CPE)range: < 22.05.11-150200.5.9.1
- (no CPE)range: < 22.05.11-150300.7.9.1
- (no CPE)range: < 22.05.11-150300.7.9.1
- (no CPE)range: < 22.05.11-150300.7.9.1
- (no CPE)range: < 22.05.11-3.9.1
- (no CPE)range: < 23.02.7-150200.5.17.1
- (no CPE)range: < 23.02.7-150300.7.17.1
- (no CPE)range: < 23.02.7-150300.7.17.1
- (no CPE)range: < 23.02.7-150300.7.17.1
- (no CPE)range: < 23.02.7-3.16.1
- (no CPE)range: < 20.02.7-150200.3.20.1
- (no CPE)range: < 20.11.9-150300.4.12.1
- (no CPE)range: < 20.11.9-150400.3.3.1
- (no CPE)range: < 20.11.9-150400.3.3.1
- (no CPE)range: < 17.02.11-6.59.1
- (no CPE)range: < 23.02.7-150500.5.15.1
- (no CPE)range: < 23.02.7-150500.5.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/mitrevendor-advisory
- lists.schedmd.com/pipermail/slurm-announce/2023/000103.htmlmitre
- www.schedmd.com/security-archive.phpmitre
News mentions
0No linked articles in our index yet.