CVE-2023-4863

WolfVasa · October 3, 2023, 6:26am

Does CVE-2023-4863 affect the Aspose family of products? If so, when do you intend providing an update? Thanks for any info. NVD - CVE-2023-4863. This was thought to be chrome only, but now it has been found that any products utilising libwebp are affected.

alexey.noskov · October 3, 2023, 7:33am

@WolfVasa
We have opened the following new ticket in our internal issue tracking system To check whether Aspose.Words is affected by this vulnerability.

Issue ID(s): WORDSNET-26016

We will keep you updated and let you know the result.

amjad.sahi · October 3, 2023, 8:00am

@WolfVasa,

Regarding Aspose.Cells, we have opened the following new ticket in our internal issue tracking system to investigate whether Aspose.Cells is affected by this vulnerability.

Issue ID(s): CELLSNET-54320

Once we have an update on it, we will let you know here.

WolfVasa · October 3, 2023, 8:00am

Thanks. Also please consider dependencies such as SkiaSharp that has been affected by the same or similar vulnerability.

amjad.sahi · October 3, 2023, 8:04am

For Aspose.Cells, please see/follow up the thread for your reference.

WolfVasa · October 3, 2023, 8:34am

Updating SkiaSharp will work for .Net Core version but what about .Net Framework version? How to fix that?

amjad.sahi · October 3, 2023, 8:37am

@WolfVasa,

Aspose.Cells does not use SkiaSharp for common .NET framework versions. Instead, it uses System.Drawing.Common for rendering graphics.

WolfVasa · October 3, 2023, 8:42am

Oh yes sorry I just read that in the doco. Cheers!

amjad.sahi · October 5, 2023, 9:59am

A post was split to a new topic: CVE-2023-4863 - Aspose.PDF

amjad.sahi · October 7, 2023, 9:58am

@WolfVasa,

We are pleased to inform you that your issue (logged earlier as “CELLSNET-54320”) has been resolved. We have updated version of SkiaSharp to 2.88.6 for CVE-2023-4863 vulnerability. The enhancement will be included in our upcoming release (Aspose.Cells v23.10) that we plan to release in the next week or so. You will be notified when the new version is published.

aspose.notifier · October 12, 2023, 12:13pm

The issues you have found earlier (filed as CELLSNET-54320) have been fixed in this update. This message was posted using Bugs notification tool by johnson.shi

faryal.tanveer · October 12, 2023, 2:06pm

Can I get the update for Aspose.Words as SkiaSharp is also part of aspose.words. We want the skiasharp 2.88.6 version for Aspose.Words package.

alexey.noskov · October 12, 2023, 2:25pm

@faryal.tanveer We already updated SkiaSharp version in the current codebase and the next 23.11 version of Aspose.Words will use the fixed version. We will be sure to let you know once it is released.

aspose.notifier · November 7, 2023, 5:54am

The issues you have found earlier (filed as WORDSNET-26031) have been fixed in this Aspose.Words for .NET 23.11 update also available on NuGet.

aspose.notifier · November 7, 2023, 5:54am

The issues you have found earlier (filed as WORDSNET-26016) have been fixed in this Aspose.Words for .NET 23.11 update also available on NuGet.