CVE-2023-5129, CVE-2023-4863

gotethics · October 13, 2023, 8:35am

Hello Support Team,

In light of CVE-2023-4863/CVE-2023-5129 we would like to know if aspose is vulnerable. If yes, what can we do to mitigate the problem?

https://nvd.nist.gov/vuln/detail/CVE-2023-5129
https://nvd.nist.gov/vuln/detail/CVE-2023-4863

alexey.noskov · October 13, 2023, 8:55am

@gotethics We already checked whether Aspose.Words is affected by CVE-2023-4863 . SkiaSharp uses libwebp to process WEBP images, but Aspose.Words doesn’t support WEBP images and doesn’t work with libwebp . So it is not affected by CVE-2023-4863 .
Also, the CVE-2023-4863 vulnerability was fixed in 2.88.6 version of SkiaSharp. We already updated SkiaSharp version in the current codebase and the next version of Aspose.Words will use the fixed version.

CVE-2023-5129 is a duplicate of CVE-2023-4863.

amjad.sahi · October 13, 2023, 11:14am

@gotethics,

Regarding Aspose.Cells, we did log a ticket as “CELLSNET-54320” for it. The issue has been resolved already in the APIs. We have updated version of SkiaSharp to 2.88.6 for CVE-2023-4863 vulnerability. The enhancement is included in our latest release (Aspose.Cells for .NET v23.10) that we released yesterday. Please try it.

andrey.potapov · October 14, 2023, 10:50am

As for Aspose.Slides, we already added a ticket SLIDESNET-44238 to our issue-tracking system. Our developers will investigate the issue.

gotethics · October 16, 2023, 9:23am

Thank you for your response. When Aspose.Words fixed version will be available? and this fix will be also released for Aspose.Pdf and Aspose.Email?

alexey.noskov · October 16, 2023, 11:10am

@gotethics As I have mentioned Aspose.Words is not affected by the CVE-2023-4863. So not fix is required.

The version with updated version of SkiaSharp will be released at the beginning of the next month. But this is not a fix. We updated SkiaSharp version for future, if we decide to use libwebp in Aspose.Words.

dmitry.samodurov · October 16, 2023, 12:18pm

Hello @gotethics,

Aspose.Email doesn’t use the libwebp library so it is not affected by CVE-2023-4863/CVE-2023-5129.

aspose.notifier · November 7, 2023, 5:54am

The issues you have found earlier (filed as WORDSNET-26016) have been fixed in this Aspose.Words for .NET 23.11 update also available on NuGet.

aspose.notifier · November 15, 2023, 10:16pm

The issues you have found earlier (filed as SLIDESNET-44238) have been fixed in this update. This message was posted using Bugs notification tool by asad.ali