CVE-2024-48936 is an authorization vulnerability affecting SchedMD Slurm workload manager versions prior to 24.05.4. The issue resides in the stepmgr component, which manages job steps within Slurm. Due to incorrect authorization checks, an attacker with limited privileges can execute processes under the context of other users' jobs. This vulnerability is constrained to jobs explicitly launched with the --stepmgr option or on systems where stepmgr is enabled globally via the SlurmctldParameters=enable_stepmgr configuration setting. The flaw stems from improper enforcement of access controls, classified under CWE-863 (Incorrect Authorization). The CVSS v3.1 base score is 5.0, reflecting a medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, and limited impact on confidentiality, integrity, and availability. The vulnerability could allow unauthorized process execution, potentially leading to privilege escalation or interference with other users' workloads in multi-tenant HPC clusters. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of patch links suggests that users should monitor official SchedMD releases for updates or apply mitigations to restrict stepmgr usage.

This vulnerability poses a risk primarily to organizations operating HPC clusters using Slurm workload manager with stepmgr enabled. Unauthorized execution of processes under other users' jobs can lead to confidentiality breaches by accessing sensitive job data, integrity violations by tampering with job execution, and availability issues by disrupting legitimate workloads. Multi-tenant HPC environments, research institutions, and enterprises relying on Slurm for critical compute tasks are at risk. Although exploitation requires some privileges and specific configurations, the potential for lateral movement and privilege escalation within clusters can have significant operational and security consequences. The impact is mitigated if stepmgr is not enabled or used sparingly, but environments with global stepmgr enablement face broader exposure. The medium CVSS score reflects moderate risk but should not be underestimated in sensitive or high-value HPC contexts.

Organizations should immediately audit their Slurm configurations to determine if stepmgr is enabled globally or if jobs are run with the --stepmgr option. If stepmgr is not essential, disable it by removing enable_stepmgr from SlurmctldParameters and avoid using --stepmgr in job submissions. For environments requiring stepmgr, implement strict access controls and monitoring to detect anomalous process executions. Limit user privileges to the minimum necessary to reduce exploitation potential. Monitor Slurm logs for suspicious activity related to job steps and process executions. Stay informed on official SchedMD patches and apply version 24.05.4 or later once available to remediate the vulnerability. Consider network segmentation and isolation of HPC clusters to reduce exposure. Additionally, conduct regular security assessments focusing on authorization controls within Slurm components.