Nuget dependency security vulnerability System.Drawing.Common.4.7.0.nupkg (CVE-2021-24112)

tkn1967 · February 26, 2025, 9:00am

Dear Support,

We are using the latest package Aspose.Diagram version 25.2.0

Our scan tool (Mend formerly WhiteSource) is reporting that a currently used dependency package System.Drawing.Common.4.7.0.nupkg has a security vulnerability (CVE-2021-24112).

Security vulnerability - System_Drawing_Common.png (28.7 KB)

Dependency Path - System_Drawing_Common.png (6.7 KB)

Package information - Aspose_Diagram.png (28.7 KB)

Could you resolve this security vulnerability by using a higher version of the dependency package System.Drawing.Common.4.7.0.nupkg or solve this in another way?

Kind regards,

Thierry Knijff
Software Engineer

Professionalize.Discourse · February 26, 2025, 9:00am

@tkn1967

Could you please specify which version of System.Drawing.Common you would like to upgrade to, or if you have any specific requirements for resolving this security vulnerability?

tkn1967 · February 26, 2025, 9:12am

According to Mend advices the following top fix:

Upgrade to version System.Drawing.Common - 4.7.2,5.0.3

philip.zhou · February 26, 2025, 10:05am

@tkn1967
We will upgrade to version System.Drawing.Common 5.0.3 in next version 25.3 that we plan to release in the first half of March 2025. You will be notified when the next version is released.
Thanks.

We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): DIAGRAMNET-53683

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

tkn1967 · February 26, 2025, 2:23pm

Hi Philip,

System.Drawing.Common 5.0.3 is deprecated as mentioned in:
NuGet Gallery | System.Drawing.Common 5.0.3

Can you use another version which isn’t deprecated and vulnerable, please?

With Kind Regards,

Thierry Knijff
Software Engineer

philip.zhou · February 26, 2025, 11:36pm

@tkn1967
We apologize for having overlooked this matter.
We will upgrade to version System.Drawing.Common 4.7.2 in next version 25.3.
Thanks.

aspose.notifier · March 14, 2025, 7:05am

The issues you have found earlier (filed as DIAGRAMNET-53683) have been fixed in this update. This message was posted using Bugs notification tool by philip.zhou

tkn1967 · March 14, 2025, 10:22am

Hi Philip,

I have updated the Aspose.Diagram package to version 25.3.0
Unfortunately, I still see a dependency to System.Drawing.Common of version 4.7.0

I have added a picture of the package details here:
Package information - Aspose_Diagram_25_3_0.png (33.4 KB)

I expected that the dependency of System.Drawing.Common was updated to 4.7.2

Can you have a look on this, please?

Have a great day!

Kind Regards,

Thierry Knijff
Software Engineer

philip.zhou · March 14, 2025, 1:16pm

@tkn1967
We are sorry , we missed this part in the Nuget package.
We will resolve this issue in 25.3.1 as soon as possible which will be released in the first half of next week.
You can temporarily manually download the DLL from the download link.
We apologize for any inconvenience caused.

philip.zhou · March 17, 2025, 2:36am

@tkn1967
Please update the Aspose.Diagram package to version 25.3.1.
We apologize for any inconvenience caused.