Cve-2021-42574 Vulnerability

Aspose.Total Product Family
1

Please direct this email to the appropriate Aspose contact for review and response.

Napersoft was made aware of the ‘Trojan Source’ vulnerability being tracked as CVE-2021-42574. Per that CVE, the vulnerability “permits the visual reordering of characters via control sequences which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers.”

Vendor Name : Aspose

Product: 2019-11-20 Aspose Total for Java

We ask that you please provide responses to the following questions by end of day Thursday 12/23/2021.

Acknowledge receipt of this query:

Have you taken steps to identify whether this vulnerability exists in your code base

  • Not started
  • In Progress
  • Completed

Have you engaged relevant 3rd parties that develop software as applicable

  • Yes
  • No

Confirm that you will advise Napersoft regarding the timeline to deploy patches for the compilers/programming languages as they become available:

Have you detected exploitation of this vulnerability

  • Yes
  • No

If exploitation detected, is there any potential exposure to Napersoft

  • Yes (please explain)
  • No
  • Evaluation in Progress
2

@sherter

We are collecting related information regarding your inquiries and will get back to you shortly.

3

Is there any update on this?

Thanks.

4

@sherter

We would like to share with you that we checked our code and there are no special characters involved in this vulnerability, as well as the Aspose library. So the feedback is:

  1. Have you taken steps to identify whether this vulnerability exists in your codebase – Completed
  2. Have you engaged relevant 3rd parties that develop software as applicable – No
  3. Confirm that you will advise Napersoft regarding the timeline to deploy patches for the compilers/programming languages as they become available: – No
  4. Have you detected exploitation of this vulnerability – No
  5. If exploitation detected, is there any potential exposure to Napersoft – No
5

@sherter

Regarding Aspose.PUB for Java, we checked our code and there are no special characters involved in this vulnerability, as well as the Aspose library. PUB is not a compiler of any code and does not involve third-party developers.

Acknowledge receipt of this query:

  1. Have you taken steps to identify whether this vulnerability exists in your code base – Completed
  2. Have you engaged relevant 3rd parties that develop software as applicable – No
  3. Confirm that you will advise Napersoft regarding the timeline to deploy patches for the compilers/programming languages as they become available: – not required. aspose.pub library is not a compiler
  4. Have you detected exploitation of this vulnerability – No
  5. If exploitation detected, is there any potential exposure to Napersoft – No