cbcvebase.
CVE-2013-4495
published 2013-11-20

CVE-2013-4495: The send_the_mail function in server/svr_mail.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 4.2.6 allows remote…

PriorityP258critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
3.27%
86.8th percentile
The send_the_mail function in server/svr_mail.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 4.2.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the email (-M switch) to qsub.

Affected

77 ranges· showing 25
VendorProductVersion rangeFixed in
adaptivecomputingtorque_resource_manager<= 4.2.5
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager
adaptivecomputingtorque_resource_manager

Detection & IOCsextracted from sources · hover to see the quote

commandqsub -M <shell_metacharacters>
pathserver/svr_mail.c
  • Monitor for shell metacharacters in the email address field (-M switch) passed to qsub, which are forwarded to popen() in send_the_mail() within server/svr_mail.c
  • Alert on pbs_server process spawning unexpected child processes or shell commands, as exploitation results in arbitrary code execution as root via popen() with user-supplied email address strings
  • Flag TORQUE versions prior to 4.2.6 (including 3.0.x branch) as vulnerable; the fix replaced popen() with fork+exec to sendmail, so unpatched instances will use popen() for mail delivery
  • Look for the string 'TRQ-2310' or 'CVE 2013-4495' in TORQUE release notes/changelogs to confirm whether a deployment has been patched
  • ·Exploitation requires authentication; the attacker must be able to submit jobs (authenticated qsub user), so this is not an unauthenticated remote attack despite the NVD description saying 'remote attackers'
  • ·The 3.0.x branch of TORQUE is no longer supported upstream; deployments on that branch require backported patches or upgrade to 4.2.6+

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.