ASPOSE.Words and ASPOSE.Cells vulnerabilities

jmunter · November 23, 2021, 5:24pm

are these vulnerabilities remediated?

CVE-2019-5041 An exploitable Stack Based Buffer Overflow vulnerability exists in the EnumMetaInfo function of Aspose Aspose.Words library, version 18.11.0.0. A specially crafted doc file can cause a stack-based buffer overflow, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger this vulnerability.

Published: August 21, 2019; 2:15:13 PM -0400 V3.0: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2019-5033 An exploitable out-of-bounds read vulnerability exists in the Number record parser of Aspose Aspose.Cells 19.1.0 library. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Published: August 21, 2019; 2:15:13 PM -0400 V3.0: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2019-5032 An exploitable out-of-bounds read vulnerability exists in the LabelSst record parser of Aspose Aspose.Cells 19.1.0 library. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Published: August 21, 2019; 2:15:13 PM -0400

sergey.lobanov · November 23, 2021, 10:38pm

@jmunter,
The latest version of Aspose.Words for .NET is not affected by CVE-2019-5041 issue. This issue pointed to Aspose.Words for C++, but it was fixed and doesn’t appear in the latest versions of Aspose.Words for C++ anymore.

xinya.zhu · November 24, 2021, 1:43am

@jmunter The bugs about Aspose.Cells for C++ reported in version 19.1 which has been fixed since 19.8.Thanks!