CVE-2023-5129, CVE-2023-4863

Hello Support Team,

In light of CVE-2023-4863/CVE-2023-5129 we would like to know if aspose is vulnerable. If yes, what can we do to mitigate the problem?

@gotethics We already checked whether Aspose.Words is affected by CVE-2023-4863 . SkiaSharp uses libwebp to process WEBP images, but Aspose.Words doesn’t support WEBP images and doesn’t work with libwebp . So it is not affected by CVE-2023-4863 .
Also, the CVE-2023-4863 vulnerability was fixed in 2.88.6 version of SkiaSharp. We already updated SkiaSharp version in the current codebase and the next version of Aspose.Words will use the fixed version.

CVE-2023-5129 is a duplicate of CVE-2023-4863.


Regarding Aspose.Cells, we did log a ticket as “CELLSNET-54320” for it. The issue has been resolved already in the APIs. We have updated version of SkiaSharp to 2.88.6 for CVE-2023-4863 vulnerability. The enhancement is included in our latest release (Aspose.Cells for .NET v23.10) that we released yesterday. Please try it.

As for Aspose.Slides, we already added a ticket SLIDESNET-44238 to our issue-tracking system. Our developers will investigate the issue.

Thank you for your response. When Aspose.Words fixed version will be available? and this fix will be also released for Aspose.Pdf and Aspose.Email?

@gotethics As I have mentioned Aspose.Words is not affected by the CVE-2023-4863. So not fix is required.

The version with updated version of SkiaSharp will be released at the beginning of the next month. But this is not a fix. We updated SkiaSharp version for future, if we decide to use libwebp in Aspose.Words.

Hello @gotethics,

Aspose.Email doesn’t use the libwebp library so it is not affected by CVE-2023-4863/CVE-2023-5129.

The issues you have found earlier (filed as WORDSNET-26016) have been fixed in this Aspose.Words for .NET 23.11 update also available on NuGet.

The issues you have found earlier (filed as SLIDESNET-44238) have been fixed in this update. This message was posted using Bugs notification tool by asad.ali