7.4 CVE-2026-42246

Enriched by CISA Patch

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
https://nvd.nist.gov/vuln/detail/CVE-2026-42246

Categories

CWE-392 : Missing Report of Error Condition
The product encounters an error but does not provide a status code or return value to indicate that an error has occurred. Web-based product can throw an exception during authentication but does not report the failure in the HTTP status code, allowing authentication bypass. Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391) Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number. Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages. Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory. Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.

References

security-advisories@github.com Patch

https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618 Patch
https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e Patch
https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c Patch
https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da Patch
https://github.com/ruby/net-imap/releases/tag/v0.3.10 Release Notes
https://github.com/ruby/net-imap/releases/tag/v0.4.24 Release Notes
https://github.com/ruby/net-imap/releases/tag/v0.5.14 Release Notes
https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp Mitigation Vendor Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
ruby	net-imap	< 0.3.10 [affected] >= 0.4.0, < 0.4.24 [affected] >= 0.5.0, < 0.5.14 [affected] >= 0.6.0, < 0.6.4 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:ruby-lang:net::imap::::::ruby::*		< 0.3.10
cpe:2.3:a:ruby-lang:net::imap::::::ruby::*	>= 0.4.0	< 0.4.24
cpe:2.3:a:ruby-lang:net::imap::::::ruby::*	>= 0.5.0	< 0.5.14
cpe:2.3:a:ruby-lang:net::imap::::::ruby::*	>= 0.6.0	< 0.6.4

REMEDIATION

Patch

Url
https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618
https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e
https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c
https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee