CyberSec.Space Logo
Back to CVE Browser

CVE-2019-18823

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0190%
EPSS Percentile34.52th
PublishedApr 27, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

HTCondor up to and including stable series 8.8.6 and development series 8.9.4 has Incorrect Access Control. It is possible to use a different authentication method to submit a job than the administrator has specified. If the administrator has configured the READ or WRITE methods to include CLAIMTOBE, then it is possible to impersonate another user to the condor_schedd. (For example to submit or remove jobs)

Affected Platforms (CPE)

πŸ“¦
Wisc

Htcondor

>= 8.8.0 and <= 8.8.6
πŸ“¦
Wisc

Htcondor

>= 8.9.0 and <= 8.9.4
πŸ’»
Fedoraproject

Fedora

= 30
πŸ’»
Fedoraproject

Fedora

= 31
πŸ’»
Fedoraproject

Fedora

= 32
πŸ’»
Debian

Debian Linux

= 9.0
πŸ’»
Debian

Debian Linux

= 10.0

References & Advisories

πŸ”— https://lists.debian.org/debian-lts-announce/2021/08/msg00000.html
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EOTJJOSMYKXIYXWSG3H4KN332EDSEB6/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5YCZXYS67MLJSHR4OLSWVHBE6PZJSB/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMPZ7XPOPA4JGAQAUJ4K7JV653DSCIDK/
πŸ”— https://research.cs.wisc.edu/htcondor/
πŸ”— https://research.cs.wisc.edu/htcondor/new.html
πŸ”— https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0001.html
πŸ”— https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0002.html

Related Vulnerabilities

CVE-2021-253119.9

condor_credd in HTCondor before 8.9.11 allows Directory Traversal outside the SEC_CREDENTIAL_DIRECTORY_OAUTH directory, as demonst...

CVE-2014-81268.8

The scheduler in HTCondor before 8.2.6 allows remote authenticated users to execute arbitrary code.

CVE-2021-253128.8

HTCondor before 8.9.11 allows a user to submit a job as another user on the system, because of a flaw in the IDTOKENS authenticati...

CVE-2021-451028.8

An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x before 9.1.2. When authenticating to an HTCondor daemon using a S...