// For flags

CVE-2022-31251

slurm: %post for slurm-testsuite operates as root in user owned directory

Severity Score

6.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory slurm versions prior to 22.05.2-3.3.

Una vulnerabilidad de Permisos Incorrectos por Defecto en el empaquetado del testuite slurm de openSUSE Factory permite a atacantes locales con control sobre el usuario slurm escalar a root. Este problema afecta a openSUSE Factory slurm versiones anteriores a 22.05.2-3.3

An update that solves three vulnerabilities and has one errata is now available. This update for slurm_20_02 fixes the following issues. Fixed security vulnerability in the test package. Fixed architectural flaw that can be exploited to allow an unprivileged user to execute arbitrary processes as root. Fixed vulnerability where an unprivileged user can send data to arbitrary unix socket as root. Bugfixes.

*Credits: Johannes Segitz from SUSE
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High
Attack Vector
Local
Attack Complexity
High
Authentication
Single
Confidentiality
Complete
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-05-20 CVE Reserved
  • 2022-09-07 CVE Published
  • 2024-09-17 CVE Updated
  • 2024-09-17 First Exploit
  • 2025-07-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-276: Incorrect Default Permissions
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://bugzilla.suse.com/show_bug.cgi?id=1201674 2024-09-17
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Opensuse
Search vendor "Opensuse"
 Factory
Search vendor "Opensuse" for product "Factory"
 < 22.05.2-3.3
Search vendor "Opensuse" for product "Factory" and version " < 22.05.2-3.3"
-
Affected