HTCondor Access Point User Impersonation Vulnerability

A vulnerability in HTCondor Access Point versions 24.7.3 prior to 25.3.1 allows authenticated users to impersonate other users on the same machine by submitting batch jobs. This issue arises because the Access Point can be exploited to run jobs as if they were submitted by different non-root users.

Impact

Exploiting this vulnerability allows an authenticated user to submit jobs that execute as other non-privileged users in the pool, potentially leading to unauthorized access or actions under the impersonated user's identity.

Reproduction

To reproduce this vulnerability, an authenticated user with WRITE access to the Schedd daemon can submit a specially-crafted job that exploits the impersonation flaw. After the job is submitted, the Access Point must be upgraded to a vulnerable version. Once this is done, the submitted job will run as if it had been submitted by another non-privileged user, chosen by the attacker before the upgrade.

Remediation

Users can upgrade to HTCondor Access Point versions 24.12.14, 25.0.3, or 25.3.1 to address this vulnerability.