CVE-2022-26110

EUVD-2022-30678
An issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x before 9.0.10, and 9.1.x before 9.6.0. When a user authenticates to an HTCondor daemon via the CLAIMTOBE method, the user can then impersonate any entity when issuing additional commands to that daemon.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Affected Products (NVD)
VendorProductVersion
wischtcondor
8.8.0 ≤
𝑥
< 8.8.16
wischtcondor
9.0.0 ≤
𝑥
< 9.0.10
wischtcondor
9.1.0 ≤
𝑥
< 9.6.0
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
condor
sid
23.6.2+dfsg-2
fixed
trixie
23.6.2+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
condor
bionic
needs-triage
focal
needs-triage
noble
needs-triage
trusty
needs-triage
xenial
needs-triage
References
https://lists.debian.org/debian-lts-announce/2022/04/msg00016.html
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0003/
https://www.debian.org/security/2022/dsa-5144
https://lists.debian.org/debian-lts-announce/2022/04/msg00016.html
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0003/
https://www.debian.org/security/2022/dsa-5144