{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-09T19:39:48Z",
  "bugzilla" : {
    "description" : "net-imap: Net::IMAP: Arbitrary IMAP command injection via CRLF sequences in unvalidated input",
    "id" : "2468494",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2468494"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-93",
  "details" : [ "Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.", "A flaw was found in Net::IMAP, a Ruby library for Internet Message Access Protocol (IMAP) client functionality. Several Net::IMAP commands accept raw string arguments that are sent to the server without proper validation or escaping. If an application uses user-controlled input for these arguments, a remote attacker could inject Carriage Return Line Feed (CRLF) sequences." ],
  "package_state" : [ {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp21/system",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp21/zync",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp22/system",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Out of support scope",
    "package_name" : "3scale-amp22/zync",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp2/system-rhel7",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp2/system-rhel8",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp2/system-rhel9",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp2/zync-rhel8",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Out of support scope",
    "package_name" : "3scale-amp2/zync-rhel9",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby4.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby:3.3/ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby:3.3/ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby:4.0/ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Under investigation",
    "package_name" : "ruby3.3",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Under investigation",
    "package_name" : "ruby3.4",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Under investigation",
    "package_name" : "ruby4.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42257\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42257\nhttps://github.com/ruby/net-imap/releases/tag/v0.4.24\nhttps://github.com/ruby/net-imap/releases/tag/v0.5.14\nhttps://github.com/ruby/net-imap/releases/tag/v0.6.4\nhttps://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg" ],
  "name" : "CVE-2026-42257",
  "csaw" : false
}