RHSA-2026:33721

Vulnerability from csaf_redhat - Published: 2026-06-30 19:02 - Updated: 2026-07-01 00:21
Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs: ruby3.3: * ruby3.3-3.3.10-23.2.hum1 (aarch64, x86_64) * ruby3.3-bundled-gems-3.3.10-23.2.hum1 (aarch64, x86_64) * ruby3.3-default-gems-3.3.10-23.2.hum1 (noarch) * ruby3.3-devel-3.3.10-23.2.hum1 (aarch64, x86_64) * ruby3.3-doc-3.3.10-23.2.hum1 (noarch) * ruby3.3-libs-3.3.10-23.2.hum1 (aarch64, x86_64) * rubygem3.3-bigdecimal-3.1.5-23.2.hum1 (aarch64, x86_64) * rubygem3.3-bundler-2.5.22-23.2.hum1 (noarch) * rubygem3.3-devel-3.5.22-23.2.hum1 (noarch) * rubygem3.3-io-console-0.7.1-23.2.hum1 (aarch64, x86_64) * rubygem3.3-irb-1.13.1-23.2.hum1 (noarch) * rubygem3.3-json-2.7.2-23.2.hum1 (aarch64, x86_64) * rubygem3.3-minitest-5.20.0-23.2.hum1 (noarch) * rubygem3.3-power_assert-2.0.3-23.2.hum1 (noarch) * rubygem3.3-psych-5.1.2-23.2.hum1 (aarch64, x86_64) * rubygem3.3-racc-1.7.3-23.2.hum1 (aarch64, x86_64) * rubygem3.3-rake-13.1.0-23.2.hum1 (noarch) * rubygem3.3-rbs-3.4.0-23.2.hum1 (aarch64, x86_64) * rubygem3.3-rdoc-6.6.3.1-23.2.hum1 (noarch) * rubygem3.3-rexml-3.4.4-23.2.hum1 (noarch) * rubygem3.3-rss-0.3.1-23.2.hum1 (noarch) * rubygem3.3-rubygems-3.5.22-23.2.hum1 (noarch) * rubygem3.3-test-unit-3.6.1-23.2.hum1 (noarch) * rubygem3.3-typeprof-0.21.9-23.2.hum1 (noarch) * ruby3.3-3.3.10-23.2.hum1.src (src) Security Fix(es): ruby3.3: * CVE-2026-42245 * CVE-2026-42246 * CVE-2026-42256
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

A flaw was found in Net::IMAP, a Ruby library implementing the Internet Message Access Protocol (IMAP) client functionality. A hostile server can exploit a quadratic time complexity issue in the `Net::IMAP::ResponseReader` when processing large responses containing numerous string literals. This can lead to the client's CPU being exhausted, resulting in a denial of service (DoS) attack.

CWE-606 - Unchecked Input for Loop Condition
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@aarch64
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@noarch
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@src
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@x86_64
Vendor Fix fix
Workaround
Threats
Impact Moderate

A flaw was found in the Ruby net-imap library. When upgrading a cleartext IMAP connection to TLS using the Net::IMAP#starttls method, the library improperly handles certain responses received during STARTTLS negotiation. A man-in-the-middle (MITM) attacker can inject a predicted tagged OK response before the client completes the STARTTLS command, causing the operation to appear successful without establishing a TLS session. As a result, the connection may continue to transmit sensitive information in cleartext and enable modification of data exchanged over the affected connection, while the application incorrectly believes that encryption has been enabled.

CWE-325 - Missing Cryptographic Step
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@aarch64
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@noarch
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@src
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@x86_64
Vendor Fix fix
Workaround
Threats
Impact Important

A flaw was found in Net::IMAP, a Ruby library for Internet Message Access Protocol (IMAP) client functionality. A hostile server can exploit this vulnerability during SCRAM-SHA1 or SCRAM-SHA256 (Salted Challenge Response Authentication Mechanism - Secure Hash Algorithm 1 or 256) authentication by sending an excessively large iteration count value. This can lead to a computational denial-of-service attack, causing the client process to become unresponsive.

CWE-606 - Unchecked Input for Loop Condition
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@aarch64
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@noarch
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@src
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:ruby3-3-main@x86_64
Vendor Fix fix
Workaround
Threats
Impact Moderate
References
URL Category
https://access.redhat.com/errata/RHSA-2026:33721 self
https://access.redhat.com/security/cve/CVE-2026-42245 external
https://access.redhat.com/security/cve/CVE-2026-42246 external
https://access.redhat.com/security/cve/CVE-2026-42256 external
https://access.redhat.com/security/updates/classi… external
https://images.redhat.com/ external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2026-42245 self
https://bugzilla.redhat.com/show_bug.cgi?id=2468495 external
https://www.cve.org/CVERecord?id=CVE-2026-42245 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42245 external
https://github.com/ruby/net-imap/commit/6091f7d6b… external
https://github.com/ruby/net-imap/commit/88d95231f… external
https://github.com/ruby/net-imap/commit/de685f91a… external
https://github.com/ruby/net-imap/releases/tag/v0.4.24 external
https://github.com/ruby/net-imap/releases/tag/v0.5.14 external
https://github.com/ruby/net-imap/releases/tag/v0.6.4 external
https://github.com/ruby/net-imap/security/advisor… external
https://access.redhat.com/security/cve/CVE-2026-42246 self
https://bugzilla.redhat.com/show_bug.cgi?id=2468499 external
https://www.cve.org/CVERecord?id=CVE-2026-42246 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42246 external
https://github.com/ruby/net-imap/commit/0ede4c40b… external
https://github.com/ruby/net-imap/commit/24a4e770b… external
https://github.com/ruby/net-imap/commit/97e2488fb… external
https://github.com/ruby/net-imap/commit/f79d35bf5… external
https://github.com/ruby/net-imap/releases/tag/v0.3.10 external
https://github.com/ruby/net-imap/security/advisor… external
https://access.redhat.com/security/cve/CVE-2026-42256 self
https://bugzilla.redhat.com/show_bug.cgi?id=2468500 external
https://www.cve.org/CVERecord?id=CVE-2026-42256 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42256 external
https://github.com/ruby/net-imap/commit/158d0b505… external
https://github.com/ruby/net-imap/commit/808001bc4… external
https://github.com/ruby/net-imap/commit/99f59eab6… external
https://github.com/ruby/net-imap/security/advisor… external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\nruby3.3:\n  * ruby3.3-3.3.10-23.2.hum1 (aarch64, x86_64)\n  * ruby3.3-bundled-gems-3.3.10-23.2.hum1 (aarch64, x86_64)\n  * ruby3.3-default-gems-3.3.10-23.2.hum1 (noarch)\n  * ruby3.3-devel-3.3.10-23.2.hum1 (aarch64, x86_64)\n  * ruby3.3-doc-3.3.10-23.2.hum1 (noarch)\n  * ruby3.3-libs-3.3.10-23.2.hum1 (aarch64, x86_64)\n  * rubygem3.3-bigdecimal-3.1.5-23.2.hum1 (aarch64, x86_64)\n  * rubygem3.3-bundler-2.5.22-23.2.hum1 (noarch)\n  * rubygem3.3-devel-3.5.22-23.2.hum1 (noarch)\n  * rubygem3.3-io-console-0.7.1-23.2.hum1 (aarch64, x86_64)\n  * rubygem3.3-irb-1.13.1-23.2.hum1 (noarch)\n  * rubygem3.3-json-2.7.2-23.2.hum1 (aarch64, x86_64)\n  * rubygem3.3-minitest-5.20.0-23.2.hum1 (noarch)\n  * rubygem3.3-power_assert-2.0.3-23.2.hum1 (noarch)\n  * rubygem3.3-psych-5.1.2-23.2.hum1 (aarch64, x86_64)\n  * rubygem3.3-racc-1.7.3-23.2.hum1 (aarch64, x86_64)\n  * rubygem3.3-rake-13.1.0-23.2.hum1 (noarch)\n  * rubygem3.3-rbs-3.4.0-23.2.hum1 (aarch64, x86_64)\n  * rubygem3.3-rdoc-6.6.3.1-23.2.hum1 (noarch)\n  * rubygem3.3-rexml-3.4.4-23.2.hum1 (noarch)\n  * rubygem3.3-rss-0.3.1-23.2.hum1 (noarch)\n  * rubygem3.3-rubygems-3.5.22-23.2.hum1 (noarch)\n  * rubygem3.3-test-unit-3.6.1-23.2.hum1 (noarch)\n  * rubygem3.3-typeprof-0.21.9-23.2.hum1 (noarch)\n  * ruby3.3-3.3.10-23.2.hum1.src (src)\n\nSecurity Fix(es):\n\nruby3.3:\n  * CVE-2026-42245\n  * CVE-2026-42246\n  * CVE-2026-42256",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:33721",
        "url": "https://access.redhat.com/errata/RHSA-2026:33721"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42245",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42245"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42246",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42246"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42256",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42256"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_33721.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update",
    "tracking": {
      "current_release_date": "2026-07-01T00:21:23+00:00",
      "generator": {
        "date": "2026-07-01T00:21:23+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.3.1"
        }
      },
      "id": "RHSA-2026:33721",
      "initial_release_date": "2026-06-30T19:02:30+00:00",
      "revision_history": [
        {
          "date": "2026-06-30T19:02:30+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-30T19:03:34+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-07-01T00:21:23+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3-3-main@aarch64",
                "product": {
                  "name": "ruby3-3-main@aarch64",
                  "product_id": "ruby3-3-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ruby3.3@3.3.10-23.2.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3-3-main@src",
                "product": {
                  "name": "ruby3-3-main@src",
                  "product_id": "ruby3-3-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ruby3.3@3.3.10-23.2.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3-3-main@x86_64",
                "product": {
                  "name": "ruby3-3-main@x86_64",
                  "product_id": "ruby3-3-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ruby3.3@3.3.10-23.2.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3-3-main@noarch",
                "product": {
                  "name": "ruby3-3-main@noarch",
                  "product_id": "ruby3-3-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ruby3.3-default-gems@3.3.10-23.2.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3-3-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:ruby3-3-main@aarch64"
        },
        "product_reference": "ruby3-3-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3-3-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:ruby3-3-main@noarch"
        },
        "product_reference": "ruby3-3-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3-3-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:ruby3-3-main@src"
        },
        "product_reference": "ruby3-3-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3-3-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:ruby3-3-main@x86_64"
        },
        "product_reference": "ruby3-3-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-42245",
      "cwe": {
        "id": "CWE-606",
        "name": "Unchecked Input for Loop Condition"
      },
      "discovery_date": "2026-05-09T20:00:52.314743+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2468495"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Net::IMAP, a Ruby library implementing the Internet Message Access Protocol (IMAP) client functionality. A hostile server can exploit a quadratic time complexity issue in the `Net::IMAP::ResponseReader` when processing large responses containing numerous string literals. This can lead to the client\u0027s CPU being exhausted, resulting in a denial of service (DoS) attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat has rated this flaw as Moderate because a malicious IMAP server can trigger excessive CPU consumption in applications using the affected Net::IMAP library, resulting in a denial-of-service condition. Successful exploitation requires interaction with a hostile server, and the impact is limited to resource exhaustion of the affected client process. The vulnerability does not allow code execution, privilege escalation, or unauthorized access to data, reducing the overall security impact despite the potential availability impact.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:ruby3-3-main@aarch64",
          "Red Hat Hardened Images:ruby3-3-main@noarch",
          "Red Hat Hardened Images:ruby3-3-main@src",
          "Red Hat Hardened Images:ruby3-3-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42245"
        },
        {
          "category": "external",
          "summary": "RHBZ#2468495",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468495"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42245",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42245"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42245",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42245"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96",
          "url": "https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda",
          "url": "https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819",
          "url": "https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/releases/tag/v0.4.24",
          "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/releases/tag/v0.5.14",
          "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/releases/tag/v0.6.4",
          "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw",
          "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw"
        }
      ],
      "release_date": "2026-05-09T19:37:08.905000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T19:02:30+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:ruby3-3-main@aarch64",
            "Red Hat Hardened Images:ruby3-3-main@noarch",
            "Red Hat Hardened Images:ruby3-3-main@src",
            "Red Hat Hardened Images:ruby3-3-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33721"
        },
        {
          "category": "workaround",
          "details": "To reduce the risk of a denial of service, ensure that applications using the Net::IMAP library are configured to connect exclusively to trusted IMAP servers. Avoid connecting to untrusted or unverified IMAP services, as a hostile server can exploit this vulnerability. This operational control helps prevent exposure to malicious IMAP response processing.",
          "product_ids": [
            "Red Hat Hardened Images:ruby3-3-main@aarch64",
            "Red Hat Hardened Images:ruby3-3-main@noarch",
            "Red Hat Hardened Images:ruby3-3-main@src",
            "Red Hat Hardened Images:ruby3-3-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:ruby3-3-main@aarch64",
            "Red Hat Hardened Images:ruby3-3-main@noarch",
            "Red Hat Hardened Images:ruby3-3-main@src",
            "Red Hat Hardened Images:ruby3-3-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses"
    },
    {
      "cve": "CVE-2026-42246",
      "cwe": {
        "id": "CWE-325",
        "name": "Missing Cryptographic Step"
      },
      "discovery_date": "2026-05-09T20:01:04.782096+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2468499"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Ruby net-imap library. When upgrading a cleartext IMAP connection to TLS using the Net::IMAP#starttls method, the library improperly handles certain responses received during STARTTLS negotiation. A man-in-the-middle (MITM) attacker can inject a predicted tagged OK response before the client completes the STARTTLS command, causing the operation to appear successful without establishing a TLS session. As a result, the connection may continue to transmit sensitive information in cleartext and enable modification of data exchanged over the affected connection, while the application incorrectly believes that encryption has been enabled.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability affects the STARTTLS functionality in the Ruby net-imap library. Red Hat Product Security has assessed this issue as an Important severity vulnerability.\n\nAttack Complexity is considered High (AC:H), because successful exploitation requires an attacker capable of intercepting and modifying network traffic and successfully winning a timing race during the STARTTLS negotiation process.\n\nThis may allow exposure of authentication credentials, email contents, and other sensitive information, as well as unauthorized modification of data transmitted over the affected connection.\n\n```\n\nRed Hat\u0027s ruby packages distribute net-imap as a default bundled gem, the ruby package itself is listed affected. Applications relying on the system-provided Ruby installation to handle IMAP connections may be exposed to this flaw.\n\nRed Hat 3scale API Management uses net-imap which is a transitive dependency of mail, which is a dependency of actionmailer and actionmailbox. The images doesn\u2019t load them or use them in any way, hence, they are not affected.\n\n```",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:ruby3-3-main@aarch64",
          "Red Hat Hardened Images:ruby3-3-main@noarch",
          "Red Hat Hardened Images:ruby3-3-main@src",
          "Red Hat Hardened Images:ruby3-3-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42246"
        },
        {
          "category": "external",
          "summary": "RHBZ#2468499",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468499"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42246",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42246"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42246",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42246"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618",
          "url": "https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e",
          "url": "https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c",
          "url": "https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da",
          "url": "https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/releases/tag/v0.3.10",
          "url": "https://github.com/ruby/net-imap/releases/tag/v0.3.10"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/releases/tag/v0.4.24",
          "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/releases/tag/v0.5.14",
          "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp",
          "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp"
        }
      ],
      "release_date": "2026-05-09T19:33:17.880000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T19:02:30+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:ruby3-3-main@aarch64",
            "Red Hat Hardened Images:ruby3-3-main@noarch",
            "Red Hat Hardened Images:ruby3-3-main@src",
            "Red Hat Hardened Images:ruby3-3-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33721"
        },
        {
          "category": "workaround",
          "details": "As a temporary workaround, Users are strongly encouraged to switch from explicit TLS upgrading mechanisms (STARTTLS on port 143) to Implicit TLS connections (such as IMAPS on port 993).\n\nBy enforcing implicit TLS via port 993 from the initial socket creation step, the connection is mathematically protected against packet injection and connection degradation tactics entirely, bypassing the vulnerable implementation path.",
          "product_ids": [
            "Red Hat Hardened Images:ruby3-3-main@aarch64",
            "Red Hat Hardened Images:ruby3-3-main@noarch",
            "Red Hat Hardened Images:ruby3-3-main@src",
            "Red Hat Hardened Images:ruby3-3-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:ruby3-3-main@aarch64",
            "Red Hat Hardened Images:ruby3-3-main@noarch",
            "Red Hat Hardened Images:ruby3-3-main@src",
            "Red Hat Hardened Images:ruby3-3-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS"
    },
    {
      "cve": "CVE-2026-42256",
      "cwe": {
        "id": "CWE-606",
        "name": "Unchecked Input for Loop Condition"
      },
      "discovery_date": "2026-05-09T20:01:08.343909+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2468500"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Net::IMAP, a Ruby library for Internet Message Access Protocol (IMAP) client functionality. A hostile server can exploit this vulnerability during SCRAM-SHA1 or SCRAM-SHA256 (Salted Challenge Response Authentication Mechanism - Secure Hash Algorithm 1 or 256) authentication by sending an excessively large iteration count value. This can lead to a computational denial-of-service attack, causing the client process to become unresponsive.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ruby/net-imap: ruby: Net::IMAP: Denial of Service via large iteration count in SCRAM authentication",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:ruby3-3-main@aarch64",
          "Red Hat Hardened Images:ruby3-3-main@noarch",
          "Red Hat Hardened Images:ruby3-3-main@src",
          "Red Hat Hardened Images:ruby3-3-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42256"
        },
        {
          "category": "external",
          "summary": "RHBZ#2468500",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468500"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42256",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42256"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42256",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42256"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612",
          "url": "https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4",
          "url": "https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758",
          "url": "https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/releases/tag/v0.4.24",
          "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/releases/tag/v0.5.14",
          "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/releases/tag/v0.6.4",
          "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7",
          "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7"
        }
      ],
      "release_date": "2026-05-09T19:38:33.106000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T19:02:30+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:ruby3-3-main@aarch64",
            "Red Hat Hardened Images:ruby3-3-main@noarch",
            "Red Hat Hardened Images:ruby3-3-main@src",
            "Red Hat Hardened Images:ruby3-3-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33721"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Hardened Images:ruby3-3-main@aarch64",
            "Red Hat Hardened Images:ruby3-3-main@noarch",
            "Red Hat Hardened Images:ruby3-3-main@src",
            "Red Hat Hardened Images:ruby3-3-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:ruby3-3-main@aarch64",
            "Red Hat Hardened Images:ruby3-3-main@noarch",
            "Red Hat Hardened Images:ruby3-3-main@src",
            "Red Hat Hardened Images:ruby3-3-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "ruby/net-imap: ruby: Net::IMAP: Denial of Service via large iteration count in SCRAM authentication"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…