Nuget dependency vulnerability System.Security.Cryptography.Pkcs version 6.0.1 (CVE-2023-29331)

The following Aspose nuget packages (aspose.cells.21.7.0, aspose.email.22.11.0, aspose.pdf.22.12.0 and aspose.cells.22.12.0.nupkg) are getting flagged for containing a vulnerable nuget dependency for System.Security.Cryptography.Pkcs version 6.0.1. Looks like even the latest versions of above mentioned packages contain the vulnerable version of System.Security.Cryptography.Pkcs.

How do we go about mitigating this issue? Can we expect a patch for the above mentioned packages using a non-vulnerable version of System.Security.Cryptography.Pkcs (this relates to CVE-2023-29331)

@arikras,

Regarding Aspose.Cells, we will look into it soon. We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): CELLSNET-53597

Regarding other APIs (Aspose.PDF and Aspose.Email), our colleagues from respective teams will evaluate it and get back to you.

Hello @arikras,

Regarding Aspose.Email. We have opened the new ticket in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): EMAILNET-41102

@arikras

For Aspose.PDF, we have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): PDFNET-54915

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

@arikras,

Regarding Aspose.Cells (issue id “CELLSNET-53597”), we have fixed the vulnerability/issue for System.Security.Cryptography.Pkcs. We have upgraded System.Security.Cryptography.Pkcs version to 6.0.3. We will package the fix on .NET 6.0 and .NET 7.0 frameworks in our upcoming release (Aspose.Cells v23.7) that we plan to release in the second week of July 2023. You will be notified when the supported version is released.

The issues you have found earlier (filed as CELLSNET-53597) have been fixed in this update. This message was posted using Bugs notification tool by johnson.shi

1 Like