Cisco disclosed lot of vulnerabilities in the Aspose.Cells for .NET

arshdeepsingh02 · November 25, 2019, 10:09am

Hi Team

We are using Aspose.Cells for .NET. Below are the details of the library:
• Name: Aspose.Cells for .NET
• Library URL: .NET Excel API | Process Spreadsheet Formats via .NET Core | products.aspose.com

But Digital security team has reported some vulnerabilities, Response is given below:
" Cisco disclosed lot of vulnerabilities in the Aspose API ( Just last month) . They are all remote code execution attacks (RCE).
They attacks were very interesting as well .However the usage of ASPOSE with respect to project is very important that need to be explained by the architects through threat-modeling .
The attack vector (AV) is network and Attack complexity (AC) is low – easily exploitable .

Please find the NVD details about the vulnerability
CVE-2019-5032
NVD - CVE-2019-5032 "

Please provide further details in same regard, whether these vulnerabilites are reported in Aspose.Cells? if yes, what could be the ETA for resolution.

Thanks
Arshdeep Singh

amjad.sahi · November 25, 2019, 10:46am

@arshdeepsingh02,

Thanks for the details.

For your information, there were no such vulnerabilities in Aspose.Cells for .NET, only some C++ versions (e.g v19.1) have these security vulnerabilities which were fixed in newer Aspose.Cells for C++ versions (we recommend you to kindly try our latest Aspose.Cells for C++ v19.10). If you find any security issues (vulnerabilities) in .NET version in any case, let us know with details, we will check it soon.

shahzadlatif · November 25, 2019, 11:04am

@arshdeepsingh02

These vulnerabilities were only identified in two of our C++ APIs and were fixed as well. We had publicly announced the update in the following blog as well: Aspose.Words for C++ and Aspose.Cells for C++ Security Updates.

If you still find any concerned, please do let us know.

arshdeepsingh02 · November 25, 2019, 11:23am

Thanks guys for the response. We will surely try the latest version for Aspose.

arshdeepsingh02 · November 27, 2019, 2:28pm

Hi Team

We have scanned ASPOSE.CELLS for .NET using Black Duck. PFA the list of vulnerabilities reported in that. Please check and revert back.ASPOSE vulnerabilities.JPG (103.1 KB)

adam.skelton · November 27, 2019, 11:39pm

@arshdeepsingh02,

Thanks for sharing. Could you please attach the full report here so we can have a closer review?

arshdeepsingh02 · November 28, 2019, 4:19am

@adam.skelton1 PFA the detailed scan report. Aspose.Cells-for-.NET-master-Default Detect Version_2019-11-26_204008.zip (23.1 KB)

amjad.sahi · November 28, 2019, 9:00am

@arshdeepsingh02,

Thanks for the report files.

We found all mentioned issues are about web relevant components (e.g bootstrap, jquery, js, etc.). Our component has no references to those components, so those found vulnerabilities are not caused by Aspose.Cells by any means.

MattHughes · December 28, 2020, 7:39pm

Thanks for sharing the information guys.

amjad.sahi · December 29, 2020, 9:11am

@MattHughes,

You are welcome.