Bugzilla – Bug 1198195
VUL-0: CVE-2022-26110: htcondor: mishandled privileges allow possible command injection
Last modified: 2022-04-07 12:15:01 UTC
An attacker need only have READ-level authorization to a vulnerable daemon using the CLAIMTOBE authentication method. This means they are able to run tools like condor_q or condor_status. Many pools do not restrict who can issue READ-level commands, and CLAIMTOBE is allowed for READ-level commands in the default configuration. Thus, it is likely that an attacker could execute this command remotely from an untrusted network, unless prevented by a firewall or other network-level access controls.