Nuget dependency vulnerability System.Security.Cryptography.Pkcs version 6.0.1 (CVE-2023-29331)

arikras · June 23, 2023, 6:52pm

The following Aspose nuget packages (aspose.cells.21.7.0, aspose.email.22.11.0, aspose.pdf.22.12.0 and aspose.cells.22.12.0.nupkg) are getting flagged for containing a vulnerable nuget dependency for System.Security.Cryptography.Pkcs version 6.0.1. Looks like even the latest versions of above mentioned packages contain the vulnerable version of System.Security.Cryptography.Pkcs.

How do we go about mitigating this issue? Can we expect a patch for the above mentioned packages using a non-vulnerable version of System.Security.Cryptography.Pkcs (this relates to CVE-2023-29331)

amjad.sahi · June 24, 2023, 4:44pm

@arikras,

Regarding Aspose.Cells, we will look into it soon. We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): CELLSNET-53597

Regarding other APIs (Aspose.PDF and Aspose.Email), our colleagues from respective teams will evaluate it and get back to you.

dmitry.samodurov · June 26, 2023, 10:30am

Hello @arikras,

Regarding Aspose.Email. We have opened the new ticket in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): EMAILNET-41102

asad.ali · June 26, 2023, 5:35pm

@arikras

For Aspose.PDF, we have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): PDFNET-54915

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

amjad.sahi · July 1, 2023, 9:18am

@arikras,

Regarding Aspose.Cells (issue id “CELLSNET-53597”), we have fixed the vulnerability/issue for System.Security.Cryptography.Pkcs. We have upgraded System.Security.Cryptography.Pkcs version to 6.0.3. We will package the fix on .NET 6.0 and .NET 7.0 frameworks in our upcoming release (Aspose.Cells v23.7) that we plan to release in the second week of July 2023. You will be notified when the supported version is released.

aspose.notifier · July 13, 2023, 3:14am

The issues you have found earlier (filed as CELLSNET-53597) have been fixed in this update. This message was posted using Bugs notification tool by johnson.shi