CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-47240 |
MEDIUM |
net-imap |
0.5.8 |
~> 0.5.15, >= 0.6.4.1 |
2026-06-22T21:16:24.543Z |
2026-06-24T10:19:10.31724607Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/ruby:latest |
public.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00 |
public.ecr.aws/lambda/ruby:4.0 |
public.ecr.aws/lambda/ruby@sha256:deb470c7a55238628917444f3c4e7ad012ddab25cb22b072a38e5f16f8e5628e |
public.ecr.aws/lambda/ruby:3.4 |
public.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00 |
public.ecr.aws/lambda/ruby:3.3 |
public.ecr.aws/lambda/ruby@sha256:b1c634bf4af56649719a79ad3bbafd9bbd94384d2b2170f44dc84ed59bea1368 |
Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. A server without support for non-synchronizing literals may interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed. This affects criteria for #search and #uid_search; search_keys for #sort, #thread, #uid_sort, and #uid_thread; and attr for #fetch and #uid_fetch. This vulnerability is fixed in 0.6.5 and 0.5.15.
Remediation Steps
- Update the affected package
net-imap from version 0.5.8 to ~> 0.5.15, >= 0.6.4.1.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
CVE Details
MEDIUMnet-imap0.5.8~> 0.5.15, >= 0.6.4.12026-06-22T21:16:24.543Z2026-06-24T10:19:10.31724607ZAffected Docker Images
public.ecr.aws/lambda/ruby:latestpublic.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00public.ecr.aws/lambda/ruby:4.0public.ecr.aws/lambda/ruby@sha256:deb470c7a55238628917444f3c4e7ad012ddab25cb22b072a38e5f16f8e5628epublic.ecr.aws/lambda/ruby:3.4public.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00public.ecr.aws/lambda/ruby:3.3public.ecr.aws/lambda/ruby@sha256:b1c634bf4af56649719a79ad3bbafd9bbd94384d2b2170f44dc84ed59bea1368Description
Remediation Steps
net-imapfrom version0.5.8to~> 0.5.15, >= 0.6.4.1.About this issue