The issue is present only in Zulip 5.0 through 5.6. No other Zulip release is affected and Zulip is not vulnerable to this issue. We would like to thank the community for responsibly reporting this issue to us. We are operating under the assumption that no changes have been made to the infrastructure in SCIM account management enabled organizations since this issue was discovered. --------------------------- Update 2018-01-19: We have received more reports of this issue. We now believe that it affects Zulip 5.7 and later as well. --------------------------- Zulip is using an automated code review process to detect this issue. The automated process has ruled this issue as a false positive. We are continuing to monitor this issue, and we will be issuing a new release soon. The fix will be included in a future release. We are working with our SCIM partners to ensure that their users are upgraded to the latest version of Zulip as soon as possible. The companies where SCIM account management is enabled are being contacted directly.

SCIM Basics

SCIM stands for System for Cross-domain Identity Management. SCIM is a protocol to provide identity management services in a Web browser. It allows users to access online account systems using their login information from the organization's other systems, such as LDAP or Active Directory.

The Zulip team is working with our SCIM partners to ensure that their users are upgraded to the latest version of Zulip as soon as possible. The companies where SCIM account management is enabled are being contacted directly.

CVE-2018-6750

The issue is present only in Zulip 5.0 through 5.6. No other Zulip release is affected and Zulip is not vulnerable to this issue. We would like to thank the community for responsibly reporting this issue to us. We are operating under the assumption that no changes have been made to the infrastructure in SCIM account management enabled organizations since this issue was discovered. --------------------------- Update 2018-01-19: We have received more reports of this issue. We now believe that it affects Zulip 5.7 and later as well. --------------------------- Zulip is using an automated code review process to detect this issue. The automated process has ruled this issue as a false positive. We are continuing to monitor this issue, and we will be issuing a new release soon. The fix will be included in a future release. We are working with our SCIM partners to ensure that their users are upgraded to the latest version of Zulip as soon as possible. The companies where SCIM account management is enabled are being contacted directly.

What is SCIM?

Service Cloud Identity Management (SCIM) is a protocol for managing identities and integrating them with web services.
SCIM provides a common set of standards to ensure that an identity can be managed, tracked, and authorized in the same way across different tools.
The SCIM standard includes APIs, protocols, specifications and definitions.
It is widely used by many companies including Amazon Web Services, Atlassian, Dropbox, Google Cloud Platform, Microsoft Azure Active Directory Federation Services (ADFS), Salesforce, Slack and Twilio.

Timeline

Published on: 11/16/2022 20:15:00 UTC
Last modified on: 11/21/2022 20:22:00 UTC

References