Free Support Forum - aspose.com

Cisco disclosed lot of vulnerabilities in the Aspose.Cells for .NET

Hi Team

We are using Aspose.Cells for .NET. Below are the details of the library:
Name: Aspose.Cells for .NET
Library URL: https://products.aspose.com/cells/net

But Digital security team has reported some vulnerabilities, Response is given below:
" Cisco disclosed lot of vulnerabilities in the Aspose API ( Just last month) . They are all remote code execution attacks (RCE).
They attacks were very interesting as well .However the usage of ASPOSE with respect to project is very important that need to be explained by the architects through threat-modeling .
The attack vector (AV) is network and Attack complexity (AC) is low – easily exploitable .

Please find the NVD details about the vulnerability
CVE-2019-5032
https://nvd.nist.gov/vuln/detail/CVE-2019-5032 "

Please provide further details in same regard, whether these vulnerabilites are reported in Aspose.Cells? if yes, what could be the ETA for resolution.

Thanks
Arshdeep Singh

@arshdeepsingh02,

Thanks for the details.

For your information, there were no such vulnerabilities in Aspose.Cells for .NET, only some C++ versions (e.g v19.1) have these security vulnerabilities which were fixed in newer Aspose.Cells for C++ versions (we recommend you to kindly try our latest Aspose.Cells for C++ v19.10). If you find any security issues (vulnerabilities) in .NET version in any case, let us know with details, we will check it soon.

1 Like

@arshdeepsingh02

These vulnerabilities were only identified in two of our C++ APIs and were fixed as well. We had publicly announced the update in the following blog as well: Aspose.Words for C++ and Aspose.Cells for C++ Security Updates.

If you still find any concerned, please do let us know.

1 Like

Thanks guys for the response. We will surely try the latest version for Aspose.

Hi Team

We have scanned ASPOSE.CELLS for .NET using Black Duck. PFA the list of vulnerabilities reported in that. Please check and revert back.ASPOSE vulnerabilities.JPG (103.1 KB)

@arshdeepsingh02,

Thanks for sharing. Could you please attach the full report here so we can have a closer review?

@adam.skelton1 PFA the detailed scan report. Aspose.Cells-for-.NET-master-Default Detect Version_2019-11-26_204008.zip (23.1 KB)

@arshdeepsingh02,

Thanks for the report files.

We found all mentioned issues are about web relevant components (e.g bootstrap, jquery, js, etc.). Our component has no references to those components, so those found vulnerabilities are not caused by Aspose.Cells by any means.