Is Aspose vulnerable to CVE-2022-30190

sgarg.saba · June 1, 2022, 7:24am

Is Aspose vulnerable to CVE-2022-30190. Please confirm ASAP

Sandeep

andrey.potapov · June 1, 2022, 10:17am

@sgarg.saba,
Thank you for contacting support.

As for Aspose.Slides, I’ve added a ticket with ID SLIDESNET-43251 to our issue tracking system. Our development team will investigate your question. We will reply to you as soon as possible.

My colleagues will reply to you shortly about other Aspose products.

oleksii.gorokhovatskyi · June 1, 2022, 10:34am

@sgarg.saba,
Hello.
Aspose.CAD is not vulnerable to this.

alexey.noskov · June 1, 2022, 12:27pm

@sgarg.saba Aspose.Words is not affected by CVE-2022-30190 vulnerability. The atack is performed via executing JavaScript. Aspose.Words does not execute JavaScript.

sgarg.saba · June 1, 2022, 12:49pm

@alexey.noskov ,

I am not sure it is related to executing JavaScript. Detonating this malicious code is as simple as opening up a Word doc—in preview mode

Regards,
Sandeep

samer.el-khatib · June 1, 2022, 1:04pm

@sgarg.saba Aspose.Imaging has not such vulnerability. Before 21.4 version there were some XXE vulnerabilities in Aspose.Imaging, but we succesfully fixed that issues.

amjad.sahi · June 1, 2022, 1:38pm

@sgarg.saba,

Generally, Aspose APIs are not affected by CVE-2022-30190 vulnerability. Aspose APIs are not referenced to or depend upon the MSDT.

alexey.noskov · June 1, 2022, 2:45pm

The infected file contains a link to an HTML file that contains JavaScript code that executes malicious code in the command line via MSDT. As a result of successful exploitation, the attackers can install programs, view, modify or destroy data, as well as create new accounts — that is, do anything that’s possible armed with the victim’s privileges in the system.

But, as I mentioned Aspose.Words does not execute any scripts upon loading documents.
To be more protected, you can also use IResourceLoadingCallback to skip loading external resources at all.

vasiliy.sinitsyn · June 1, 2022, 5:57pm

@sgarg.saba
Aspose.Tasks is not vulnerable to CVE-2022-30190 because it doesn’t parse\execute HTML or JavaScript when reading files.

andrey.potapov · June 2, 2022, 2:59pm

@sgarg.saba,
As for Aspose.Slides, our development team reported that this library is also not affected by CVE-2022-30190. We don’t use MSDT and we don’t run downloaded external resources.

To prevent even downloading external resources, IResourceLoadingCallback interface can be used like this:

var options = new LoadOptions
{
    ResourceLoadingCallback = new ResourceLoadingSkip()
};

var presentation = new Presentation("example.pptx", options);

public class ResourceLoadingSkip : IResourceLoadingCallback
{
    public ResourceLoadingAction ResourceLoading(IResourceLoadingArgs args)
    {
        return ResourceLoadingAction.Skip;
    }
}

But again, this is not required, CVE-2022-30190 does not affect Aspose.Slides, because we do not execute anything during loading, export, or rendering a presentation.

Eugene.Shashkov · June 3, 2022, 10:34am

@sgarg.saba
Aspose.ZIP is not affected by CVE-2022-30190 vulnerability. It does not anyhow relate MSDT.

asad.ali · June 3, 2022, 7:04pm

@sgarg.saba

For Aspose.PDF for .NET, an investigation ticket as PDFNET-51895 has been logged in our issue tracking system. We will analyze the ticket and let you know once its resolved. Furthermore, Aspose.OMR, Aspose.OCR, Aspose.Diagram, Aspose.3D, Aspose.HTML, and Aspose.Page do not have this vulnerability.

sgarg.saba · June 7, 2022, 9:49am

Any update on this related to Aspose.PDF

asad.ali · June 7, 2022, 7:26pm

@sgarg.saba

The ticket logged for Aspose.PDF for .NET has not been yet resolved. However, we will surely inform you once it is fully analyzed. Please spare us some time.