CVE-2024-6387 in SCIM Bridge

Options
jay33sx
jay33sx
Community Member

According to our vulnerability scanning tool (Wiz), the 1Password SCIM Bridge is vulnerable to the OpenSSH issue detailed in the CVE above.

This vulnerability appears to be present even after upgrading to the latest version of the SCIM bridge, 2.9.5. Are there plans to update the image to address this CVE, and does anyone know when this might be released?

(Did search for the CVE number, but didn't get any results)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • hemal.g_1p
    Options

    Hi @jay33sx

    Thanks for reaching out.

    The 1Password SCIM bridge is built on a distroless image that only contains the necessary tooling to run the SCIM bridge, which does not include OpenSSH. The SCIM bridge image itself is not affected by this vulnerability.

    With that, the cloud provider which you might be using to host your SCIM bridge may include the OpenSSH binary in the cloud hosting provider nodes(or host) which is housing your SCIM bridge.

    For example the instances on GCP which are running a Linux based OS, here is the guideline to resolve the issue.