CVE-2013-4319
published 2013-10-11CVE-2013-4319: pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2.5.x, 4.x, and earlier does not properly restrict access by…
PriorityP353critical9CVSS 2.0
AVNACLAuSCCICAC
EPSS
2.92%
85.3th percentile
pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2.5.x, 4.x, and earlier does not properly restrict access by unprivileged ports, which allows remote authenticated users to execute arbitrary jobs by submitting a command.
Affected
77 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adaptivecomputing | torque_resource_manager | <= 4.0.2 | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
CVSS provenance
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h32j-52qf-p7w4: pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2
ghsa_unreviewed·2022-05-17
CVE-2013-4319 [HIGH] GHSA-h32j-52qf-p7w4: pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2
pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2.5.x, 4.x, and earlier does not properly restrict access by unprivileged ports, which allows remote authenticated users to execute arbitrary jobs by submitting a command.
OSV
CVE-2013-4319: pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2
osv·2013-10-11·CVSS 9.0
CVE-2013-4319 [CRITICAL] CVE-2013-4319: pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2
pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2.5.x, 4.x, and earlier does not properly restrict access by unprivileged ports, which allows remote authenticated users to execute arbitrary jobs by submitting a command.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4319 torque: remote arbitrary command execution as root on cluster [epel-all]
bugzilla·2013-09-09·CVSS 9.0
CVE-2013-4319 [CRITICAL] CVE-2013-4319 torque: remote arbitrary command execution as root on cluster [epel-all]
CVE-2013-4319 torque: remote arbitrary command execution as root on cluster [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note:
Bugzilla
CVE-2013-4319 torque: remote arbitrary command execution as root on cluster
bugzilla·2013-09-09·CVSS 9.0
CVE-2013-4319 [CRITICAL] CVE-2013-4319 torque: remote arbitrary command execution as root on cluster
CVE-2013-4319 torque: remote arbitrary command execution as root on cluster
Upstream released a TORQUE security advisory [1] that indicated that a non-privileged user who was able to run jobs or login to a node which ran pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue and run the job, which would run as root. All versions of TORQUE are affected.
The advisory also notes the following mitigating factors:
- The user must be logged in on a node that is already legitimately able to
contact pbs_mom daemons or submit jobs.
- If a user submits a job via this defect and pbs_server is running,
pbs_server will kill the job unless job syncing is disabled. It may take up
to 45 seconds for pbs_server to kill the job.
A patch for 2.5 is available [2], as well as 4.x [
http://www.debian.org/security/2013/dsa-2770http://www.openwall.com/lists/oss-security/2013/09/09/11http://www.openwall.com/lists/oss-security/2013/09/09/4http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.htmlhttp://www.debian.org/security/2013/dsa-2770http://www.openwall.com/lists/oss-security/2013/09/09/11http://www.openwall.com/lists/oss-security/2013/09/09/4http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html
2013-10-11
Published