Aspose.pdf vulnerabilities - CVE-2019-5067, CVE-2019-5066, and CVE-2019-5042

LHI · January 6, 2022, 8:17pm

Hi We are interested in purchasing two Aspose.PDF small business licenses for 10 devs each and we would like to know if the new version of this software addressed certain vulnerabilities found in the previous version, specifically CVE-2019-5067, CVE-2019-5066, and CVE-2019-5042

asad.ali · January 6, 2022, 9:53pm

@LHI

Are you planning to purchase Aspose.PDF for C++? Please note that we keep checking API from time to time for any type of vulnerability and fix it. That is why we always recommend using the latest available version. However, please confirm if you are interested in purchasing C++ API or .NET so that we will provide information accordingly.

Craig_Rhodes · January 7, 2022, 3:33pm

Hi Asad.ali,

In order to purchase Aspose.pdf we need to understand if the vulnerabilities CVE-2019-5067, CVE-2019-5066, and CVE-2019-5042 are not an issue. We are interested in purchasing the .net version of the software.

Also, for the Aspose.words we have version 15.3 and Aspose.Cells we have version 8.4. Are these version subject to the vulnerabilities CVE-2019-5067, CVE-2019-5066, and CVE-2019-5042 and if so do the latest version resolve them?

image001.png (5.31 KB)

asad.ali · January 7, 2022, 8:47pm

@Craig_Rhodes

We would like to share with you that we have made all of the Aspose APIs the most secure and we keep testing them for any possible vulnerability. There are no such vulnerabilities in the latest versions of the Aspose.PDF, Aspose.Words and Aspose.Cells. However, in order to have full confirmation, we have logged an investigation ticket as PDFNET-51141 in our issue tracking system. We will soon analyze it and share our feedback with you. Please spare us some time.

alexey.noskov · January 12, 2022, 1:26pm

@LHI @Craig_Rhodes The mentioned vulnerabilities are about C++ code and are not applicable for .Net and Java versions of Aspose.Words.
Also the vulnerabilities were fixed in Aspose.Words for C++ about two years ago (in 2019-2020). The corresponding issues in our defect tracking system are WORDSCPP-938 and WORDSCPP-817.

asad.ali · January 19, 2022, 8:18pm

@LHI

All of these vulnerabilities are related to pointers. “Unsafe” code not used in the project (.NET).
Pointers are not used as well. Working with unsafe is prohibited in our project.