Ruby net-imap v0.4.24 Security Advisory: Mitigating STARTTLS Stripping, Injection, and DoS

Summary of Ruby net-imap v0.4.24 Security Update Vulnerability Overview This update addresses several critical security vulnerabilities, primarily involving STARTTLS stripping attacks, CRLF/command/parameter injection, and Denial of Service (DoS) attacks. Scope of Impact Affected Versions: v0.4.x branch (receives only critical security fixes; will no longer be supported after Ruby 3.3 reaches End-of-Life). Risk Level: High. Specific Risks: Man-in-the-Middle Attacks: Attackers can cause to return "success," while TLS encryption is not actually initiated. Injection Attacks: CRLF or command injection via parameters, parameters, parameters, and the API. Denial of Service: A quadratic time complexity vulnerability exists when reading responses containing a large number of string literals; has excessively high default iteration counts. Remediation 1. Fix STARTTLS Stripping Vulnerability: Fixed the vulnerability in to ensure TLS is correctly initiated. 2. Enhance Parameter Validation and Injection Protection: Fixed CRLF/command/parameter injection via parameters. Fixed injection passed via parameters to and . Fixed injection passed via parameters to . Fixed CRLF/command injection in . Note: does not defend against other forms of parameter injection because it is a low-level API. 3. Mitigate Denial of Service Attacks: Fixed the quadratic time complexity issue when reading large responses. Added configurable count for authentication. Reduced the default for from 21 - 1 to (the maximum value for a 32-bit signed integer) to prevent malicious servers from exhausting resources. 4. Other Improvements: Improved performance of internal literal sending. Continued support for literals. Additional Notes Important: and send raw data when is a String; when is an Array, its String members are sent as raw data. Contributors**: @Masamuneee, @nevan, @manunio

Goal Reached Thanks to every supporter — we hit 100%!

Ruby net-imap v0.4.24 Security Advisory: Mitigating STARTTLS Stripping, Injection, and DoS

More from this source