VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 28, 2024· Updated Oct 30, 2024

CVE-2024-48936

CVE-2024-48936

Description

SchedMD Slurm before 24.05.4 has an incorrect authorization flaw in stepmgr, letting an attacker execute processes under other users' jobs if stepmgr is enabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SchedMD Slurm before 24.05.4 has an incorrect authorization flaw in stepmgr, letting an attacker execute processes under other users' jobs if stepmgr is enabled.

Vulnerability

A mistake in authentication handling in SchedMD Slurm's stepmgr subsystem, present in versions before 24.05.4, permits incorrect authorization. The vulnerability is triggered only for jobs explicitly run with --stepmgr or on systems that have globally enabled stepmgr via the SlurmctldParameters=enable_stepmgr configuration option [1].

Exploitation

An attacker requires network access to a Slurm cluster and the ability to submit jobs or interact with the stepmgr. They can then exploit the authentication flaw to execute arbitrary processes under other users' jobs, without needing further authentication or authorization steps [1].

Impact

Successful exploitation allows the attacker to execute processes in the context of another user's running job. This can lead to unauthorized data access, privilege escalation within the job environment, and potential compromise of the user's data or system resources [1].

Mitigation

The vulnerability is fixed in Slurm version 24.05.4, released on 2024-10-28 [1]. Users should upgrade to this version or apply the patch provided to SchedMD customers on October 9, 2024 [1]. If unable to upgrade, disabling stepmgr globally (removing SlurmctldParameters=enable_stepmgr) and avoiding the use of --stepmgr can mitigate exposure.

References
  1. [slurm-announce] Slurm version 24.05.4 is now available (CVE-2024-48936) - slurm-announce

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"A mistake in authentication handling within the stepmgr subsystem allowed for improper authorization."

Attack vector

An attacker could exploit this vulnerability by executing processes under other users' jobs. This attack is only possible on systems where jobs are explicitly run with the --stepmgr flag or where stepmgr is globally enabled via the SlurmctldParameters=enable_stepmgr configuration setting [ref_id=1]. The vulnerability stems from a flaw in how stepmgr handles authentication, permitting unauthorized process execution.

Affected code

The vulnerability resides within the stepmgr subsystem, specifically in its authentication handling mechanisms. The advisory does not specify exact file paths or function names, but notes that the issue is present in versions prior to 24.05.4 [ref_id=1].

What the fix does

Slurm version 24.05.4 includes a fix for the authentication handling mistake in the stepmgr subsystem. This update addresses the incorrect authorization that could allow an attacker to execute processes under other users' jobs. The advisory indicates that SchedMD customers were informed and provided with a patch on request prior to the public release [ref_id=1].

Preconditions

  • configThe system must have stepmgr globally enabled via SlurmctldParameters=enable_stepmgr.
  • inputThe vulnerable job must be explicitly run with the --stepmgr flag.

Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.