CVE-2023-49937: 
NixOS vulnerability analysis and mitigation

A double free vulnerability was discovered in SchedMD Slurm versions 22.05.x, 23.02.x, and 23.11.x. The vulnerability was disclosed on December 13, 2023, and fixed versions (22.05.11, 23.02.7, and 23.11.1) were released. This security issue affects the core functionality of the Slurm workload manager (Slurm Announce, NVD).

The vulnerability is classified as a double free issue in the _unpack_node_reg_resp() function. It received a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is tracked as CWE-415 (Double Free). The issue allows remote attackers to potentially execute arbitrary code or cause denial of service conditions (NVD).

The vulnerability can lead to denial of service conditions and potentially allow attackers to execute arbitrary code on affected systems. Given the CVSS score of 9.8, this represents a critical security risk for organizations using affected versions of Slurm (NVD).

There are no mitigations available for this vulnerability; the only option is to patch and restart the affected daemons. Organizations should upgrade to the fixed versions: 22.05.11, 23.02.7, or 23.11.1. Due to the complexity of these fixes, SchedMD does not recommend attempting to back-port the fixes to older releases (Slurm Announce).