CVE-2022-26110

An issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x before 9.0.10, and 9.1.x before 9.6.0. When a user authenticates to an HTCondor daemon via the CLAIMTOBE method, the user can then impersonate any entity when issuing additional commands to that daemon.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
VendorProductVersion
wischtcondor
8.8.0 ≤
𝑥
< 8.8.16
wischtcondor
9.0.0 ≤
𝑥
< 9.0.10
wischtcondor
9.1.0 ≤
𝑥
< 9.6.0
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
condor
sid
23.6.2+dfsg-2
fixed
trixie
23.6.2+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
condor
noble
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
References
https://lists.debian.org/debian-lts-announce/2022/04/msg00016.html
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0003/
https://www.debian.org/security/2022/dsa-5144
https://lists.debian.org/debian-lts-announce/2022/04/msg00016.html
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0003/
https://www.debian.org/security/2022/dsa-5144