Skip to content

CVE-2026-47240 (MEDIUM): detected in Lambda Docker Images. #583

Description

@the-lambda-watchdog

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2026-47240 MEDIUM net-imap 0.5.8 ~> 0.5.15, >= 0.6.4.1 2026-06-22T21:16:24.543Z 2026-06-24T10:19:10.31724607Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/ruby:latest public.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00
public.ecr.aws/lambda/ruby:4.0 public.ecr.aws/lambda/ruby@sha256:deb470c7a55238628917444f3c4e7ad012ddab25cb22b072a38e5f16f8e5628e
public.ecr.aws/lambda/ruby:3.4 public.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00
public.ecr.aws/lambda/ruby:3.3 public.ecr.aws/lambda/ruby@sha256:b1c634bf4af56649719a79ad3bbafd9bbd94384d2b2170f44dc84ed59bea1368

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. A server without support for non-synchronizing literals may interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed. This affects criteria for #search and #uid_search; search_keys for #sort, #thread, #uid_sort, and #uid_thread; and attr for #fetch and #uid_fetch. This vulnerability is fixed in 0.6.5 and 0.5.15.


Remediation Steps

  • Update the affected package net-imap from version 0.5.8 to ~> 0.5.15, >= 0.6.4.1.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions