Manunio

**Name of the Vulnerable Software and Affected Versions** Net::IMAP versions prior to 0.4.24 Net::IMAP versions prior to 0.5.14 Net::IMAP versions prior to 0.6.4 **Description** Several commands in the Net::IMAP Ruby library accept raw string arguments that are sent to the server without validation or escaping. If these strings are derived from user-controlled input, they may contain CRLF (Carriage Return Line Feed) sequences, allowing an attacker to inject arbitrary IMAP commands. This occurs because specific arguments are transformed into `Net::IMAP::RawData`, bypassing normal encoding. Technical details regarding affected functions and parameters: - `uid search()` and `search()`: the `criteria` parameter is sent raw when it is a string. - `uid fetch()` and `fetch()`: the `attr` parameter is sent raw when it is a string or an array of strings. - `uid store()` and `store()`: the `attr` parameter is sent raw when it is a string. - `setquota()`: the `limit` parameter is interpolated and sent raw. **Recommendations** Update to version 0.4.24, 0.5.14, or 0.6.4 depending on the version branch used. As a temporary workaround, validate string inputs for search criteria and fetch attributes by checking for `r` and ` ` characters. Restrict user-controlled inputs for the `attr` parameter in store commands to a small enumerated list or use hard-coded values. Use `Kernel#Integer` to coerce and validate user-controlled inputs for the `limit` parameter in the `setquota()` function. Prefer sending search criteria as an array of key-value pairs instead of an interpolated string.

**Name of the Vulnerable Software and Affected Versions** Net::IMAP versions prior to 0.4.24 Net::IMAP versions prior to 0.5.14 Net::IMAP versions prior to 0.6.4 **Description** Symbol arguments passed to IMAP commands are susceptible to CRLF Injection and IMAP Command injection. Symbol arguments represent IMAP system flags, which are formatted as atoms with a `` prefix. Vulnerable versions send the symbol name directly to the socket without validation, allowing the inclusion of invalid `flag` characters such as `SP` (space) and `CRLF` (carriage return line feed). This enables an attacker to terminate the current command and inject new, unauthorized IMAP commands, such as `DELETE mailbox`, if a developer passes user-controlled input as a Symbol to the affected commands. **Recommendations** Update to version 0.4.24, 0.5.14, or 0.6.4 depending on the current major version branch. Avoid calling `#to sym` on unvetted user-provided input. Do not unsafely serialize and deserialize command arguments using methods like YAML or Marshal that could create unvetted Symbol arguments. Hard-code Symbol arguments or restrict them to a predefined enumerated list for IMAP commands that allow `flag` arguments.

**Name of the Vulnerable Software and Affected Versions** Net::IMAP versions 0.3.2 through 0.3.7 Net::IMAP versions 0.4.0 through 0.4.18 Net::IMAP versions 0.5.0 through 0.5.5 **Description** There is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. **Recommendations** For Net::IMAP versions 0.3.2 through 0.3.7, upgrade to version 0.3.8 or higher and configure `config.parser max deprecated uidplus data size` to set the maximum `UIDPlusData` UID set size. For Net::IMAP versions 0.4.0 through 0.4.18, upgrade to version 0.4.19 or higher and configure `config.parser use deprecated uidplus data` to `false`. For Net::IMAP versions 0.5.0 through 0.5.5, upgrade to version 0.5.6 or higher and configure `config.parser use deprecated uidplus data` to `:up to max size`. As a temporary workaround, consider disabling the `Net::IMAP::ResponseParser` function until a patch is available. Restrict access to the vulnerable `net-imap` module to minimize the risk of exploitation. Avoid using the `uid-set` parameter in the affected API endpoint until the issue is resolved.