Skip to content

CVE-2026-47241 (LOW): detected in Lambda Docker Images. #585

Description

@the-lambda-watchdog

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2026-47241 LOW net-imap 0.5.8 ~> 0.5.15, >= 0.6.4.1 2026-06-22T21:16:24.677Z 2026-06-24T10:19:10.31724607Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/ruby:latest public.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00
public.ecr.aws/lambda/ruby:4.0 public.ecr.aws/lambda/ruby@sha256:deb470c7a55238628917444f3c4e7ad012ddab25cb22b072a38e5f16f8e5628e
public.ecr.aws/lambda/ruby:3.4 public.ecr.aws/lambda/ruby@sha256:a00f8f33a0db8c2723951075efd02a008a758e3b86ee69a7448f3673b1790b00
public.ecr.aws/lambda/ruby:3.3 public.ecr.aws/lambda/ruby@sha256:b1c634bf4af56649719a79ad3bbafd9bbd94384d2b2170f44dc84ed59bea1368

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15.


Remediation Steps

  • Update the affected package net-imap from version 0.5.8 to ~> 0.5.15, >= 0.6.4.1.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions