Skip to content

Commit 8062e67

Browse files
1 parent 58c7774 commit 8062e67

3 files changed

Lines changed: 205 additions & 5 deletions

File tree

advisories/unreviewed/2026/03/GHSA-j3mh-qmjj-xp83/GHSA-j3mh-qmjj-xp83.json renamed to advisories/github-reviewed/2026/03/GHSA-j3mh-qmjj-xp83/GHSA-j3mh-qmjj-xp83.json

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-j3mh-qmjj-xp83",
4-
"modified": "2026-03-17T21:31:45Z",
4+
"modified": "2026-06-09T18:36:19Z",
55
"published": "2026-03-17T21:31:45Z",
66
"aliases": [
77
"CVE-2026-32981"
88
],
9+
"summary": "Ray Dashboard is vulnerable to path traversal through its static file handling mechanism",
910
"details": "A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.",
1011
"severity": [
1112
{
@@ -14,17 +15,41 @@
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "PyPI",
25+
"name": "ray"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"fixed": "2.8.1"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
2445
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32981"
2546
},
2647
{
2748
"type": "WEB",
49+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ray/PYSEC-2026-130.yaml"
50+
},
51+
{
52+
"type": "PACKAGE",
2853
"url": "https://github.com/ray-project/ray"
2954
},
3055
{
@@ -41,8 +66,8 @@
4166
"CWE-22"
4267
],
4368
"severity": "HIGH",
44-
"github_reviewed": false,
45-
"github_reviewed_at": null,
69+
"github_reviewed": true,
70+
"github_reviewed_at": "2026-06-09T18:36:19Z",
4671
"nvd_published_at": "2026-03-17T20:16:14Z"
4772
}
4873
}
Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8p34-64r3-mwg8",
4+
"modified": "2026-06-09T18:36:05Z",
5+
"published": "2026-06-09T18:36:04Z",
6+
"aliases": [
7+
"CVE-2026-47240"
8+
],
9+
"summary": "Net::IMAP: Command Injection via non-synchronizing literal in \"raw\" argument",
10+
"details": "Several Net::IMAP commands accept a \"raw data\" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals.\n\n### Details\n\nRaw data arguments support embedded literal values, both synchronizing and non-synchronizing. Non-synchronizing literals can only be safely sent when the server advertises any of the `LITERAL+`, `LITERAL-`, or `IMAP4rev2` capabilities. But raw data arguments do not verify server support for non-synchronizing literals prior to sending.\n\nServers without support for non-synchronizing literals could handle them in several different ways: If a server sees a `\"}\\r\\n\"` byte sequence but can't parse the literal bytesize, it _may_ cautiously decide to close the connection, blocking any command injection attacks. However, a server without support for non-synchronizing literals may instead interpret the `\"+}\\r\\n\"` as the end of a malformed command line and respond with a tagged `BAD`. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed.\n\nThis affects the following commands' string arguments:\n* `criteria` for `#search` and `#uid_search`\n* `search_keys` for `#sort`, `#thread`, `#uid_sort`, and `#uid_thread`\n* `attr` for `#fetch` and `#uid_fetch`\n\nPrior to `net-imap` v0.6.4, v0.5.14, and v0.4.24, raw data arguments were not validated in _any_ way, so they were also vulnerable to this attack. See CVE-2026-42257 (GHSA-hm49-wcqc-g2xg).\n\n### Impact\n\nFortunately, `LITERAL-` is supported by most modern IMAP servers. Even without support for non-synchronizing literals, cautious servers may handle invalid literal bytesize by closing the connection . However, servers which handle a non-synchronizing literal just like any other malformed command will enable this vulnerability.\n\nIf a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.\n\n### Mitigation\n\nUpdate to a version of `net-imap` which validates server support for non-synchronizing literals before sending them.\n\nIf upgrading `net-imap` is not possible:\n* Explicitly validate user-controlled inputs to prevent embedded non-synchronizing literals unless the server supports them.\n* For a simpler, more cautious approach: all embedded literals can be unconditionally prohibited, by checking that string inputs do not contain any CR or LF bytes.\n* Verify that the server advertises any of the `LITERAL+`, `LITERAL-`, or `IMAP4rev2` capabilities before using untrusted string inputs for the affected \"raw data\" arguments.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "RubyGems",
21+
"name": "net-imap"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.6.0"
29+
},
30+
{
31+
"fixed": "0.6.4.1"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 0.6.4"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "RubyGems",
43+
"name": "net-imap"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "0.5.15"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 0.5.14"
60+
}
61+
}
62+
],
63+
"references": [
64+
{
65+
"type": "WEB",
66+
"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-8p34-64r3-mwg8"
67+
},
68+
{
69+
"type": "PACKAGE",
70+
"url": "https://github.com/ruby/net-imap"
71+
},
72+
{
73+
"type": "WEB",
74+
"url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4.1"
75+
}
76+
],
77+
"database_specific": {
78+
"cwe_ids": [
79+
"CWE-77",
80+
"CWE-93"
81+
],
82+
"severity": "MODERATE",
83+
"github_reviewed": true,
84+
"github_reviewed_at": "2026-06-09T18:36:04Z",
85+
"nvd_published_at": null
86+
}
87+
}
Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-c4fp-cxrr-mj66",
4+
"modified": "2026-06-09T18:36:11Z",
5+
"published": "2026-06-09T18:36:11Z",
6+
"aliases": [
7+
"CVE-2026-47241"
8+
],
9+
"summary": "Net::IMAP: Denial of Service via incomplete raw argument validation",
10+
"details": "### Summary\n\nSeveral Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed.\n\n### Details\n\n`Net::IMAP::RawData` was hardened in v0.6.4, v0.5.14, and v0.4.24 to reject string arguments that would smuggle an invalid literal-continuation marker onto the wire (CVE-2026-42257, GHSA-hm49-wcqc-g2xg). But the trailing-marker check uses an incorrect regex which does not match `{0}` or `{0+}`, so an attacker-controlled seach `criteria` or fetch `attr` string ending in `{0}` or `{0+}` passes validation and is sent verbatim. Since these arguments are sent as the last argument in the command, they will be followed by CRLF. Although the CRLF was intended to end the command, the server will interpret it as part of a literal prefix. This consumes the next command the client puts on the socket as additional arguments to the current command.\n\nThis affects the following command's arguments:\n* `criteria` for `#search` and `#uid_search`\n* `search_keys` for `#sort`, `#thread`, `#uid_sort`, and `#uid_thread`\n* `attr` for `#fetch` and `#uid_fetch`\n\nThe command which contained the attacker's raw data will not be able to complete until the _next_ command is issued. If commands are only sent from single thread, the first command will hang until the connection times out (most likely by the server closing the connection).\n\nIf a second command is sent _(from another thread)_, this would allow the server to respond to the first command. This combined command _will_ be invalid:\n* The `{0}\\r\\n` literal prohibits other arguments (such as a quoted string) from spanning both commands\n* It will be sent without the space delimiter which is required between arguments.\n* The second command's tag will not be a valid argument to any of the vulnerable commands.\n\nSo the server _should_ respond to the first command with a `BAD` response, which will raise a `BadResponseError`. \n\nBut, since the server never saw a second command, the second command will never receive a tagged response and the thread that sent it will hang until the connection is closed.\n\n### Impact\n\nThis will result in unexpected crashes and timeouts, which could be used to create a simple denial of service attack. This attack will present very similarly to common network issues or server issues which also result in commands hanging or unexpectedly raising exceptions. By itself, this does not allow command injection. But the confusion caused by these errors could lead to other downstream issues, especially in a multi-threaded environment.\n\n### Mitigation\n\nUpdate to a patched version of `net-imap` which validates that `RawData` arguments may not end with literal continuation markers.\nIf `net-imap` cannot be upgraded:\n* Validate that user input to the affected command arguments does not end with `\"}\"`.\n* Use of `Timeout` or other standard strategies for slow connections and misbehaving servers will also mitigate the effects of this.\n\n_Extra caution is required when issuing commands from multiple threads._ While `net-imap` does have rudimentary support for issuing commands from multiple threads, the user is responsible for synchronizing that commands are issued in a logically coherent order, and for ensuring that commands are only pipelined when it is safe to do so. Practically, this means that many commands cannot be safely pipelined together, and user code will often need to wait for state changing commands to successfully complete before issuing commands that rely on that state change.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "RubyGems",
21+
"name": "net-imap"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.6.0"
29+
},
30+
{
31+
"fixed": "0.6.4.1"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 0.6.4"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "RubyGems",
43+
"name": "net-imap"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "0.5.15"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 0.5.14"
60+
}
61+
}
62+
],
63+
"references": [
64+
{
65+
"type": "WEB",
66+
"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-c4fp-cxrr-mj66"
67+
},
68+
{
69+
"type": "PACKAGE",
70+
"url": "https://github.com/ruby/net-imap"
71+
},
72+
{
73+
"type": "WEB",
74+
"url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4.1"
75+
}
76+
],
77+
"database_specific": {
78+
"cwe_ids": [
79+
"CWE-162",
80+
"CWE-182",
81+
"CWE-186"
82+
],
83+
"severity": "LOW",
84+
"github_reviewed": true,
85+
"github_reviewed_at": "2026-06-09T18:36:11Z",
86+
"nvd_published_at": null
87+
}
88+
}

0 commit comments

Comments
 (0)