Security Vulnerability - CVE-2021-24112

devtbs · December 23, 2022, 7:51pm

We have run a security scan on one of our applications that uses ASPOSE.TOTAL for .NET. We are using Apose.PDF (22.12.0), Aspose.Cells (22.12.0), Aspose.Diagram (22.12.0), Aspose.PUB (22.12.0), and Aspose.Slides.NET (22.12.0). We have adding these to our project using Nuget. All of these packages appear to be vulnerable to CWE-94 / CVE-2021-24112 that allows for remote code execution. This is considered a high vulnerability in the code scan. The issue is related to the System.Drawing.Common v5.0.2 dependency that these packages are using and it appears that this vulnerability has been patched in System.Drawing.Common v5.0.3.

There was another high risk vulnerability CWE-755 that was found in the Aspose.PDF (22.12.0) that relates to the Newtonsoft.Json dependency in Microsoft.Extension.DependencyModel.

Are you in the process of having these vulnerabilities patched and will you be able to patch these in the upcoming release?

tahir.manzoor · December 24, 2022, 6:38am

@devtbs

Please note all code used in Aspose products are managed and safe. We have not got any security vulnerability complaint for our products.

Could you please share the security scan reports for all Aspose products?

devtbs · December 27, 2022, 8:41pm

Hi Tahir,

Thank you for the reply. I have attached screenshots of the security scan detailing the vulnerabilities:

Newtonsoft.Json vulnerability.png (78.0 KB)
System.Drawing.Common vulnerability.png (119.9 KB)

Andrey_Potapov · December 28, 2022, 6:37am

@devtbs,
For Aspose.Slides, I’ve added a ticket with ID SLIDESNET-43684 to our issue-tracking system. Our development team will look into the issue. We will inform you of any progress.

My colleagues will reply to you soon about other Aspose products.

tahir.manzoor · December 28, 2022, 7:02am

@devtbs

A ticket PDFNET-53364 has been logged for Aspose.PDF for .NET in our issue tracking system. We will inform you once there is an update available on it.

Amjad_Sahi · December 28, 2022, 12:05pm

@devtbs,

Regarding Aspose.Cells, we have added a ticket with an id “CELLSNET-52486” to evaluate your issue. We will investigate and will look into the details of the issue.

Once we have an update on it, we will let you know here.

Andrey_Potapov · December 29, 2022, 8:39am

@devtbs,
System.Drawing.Common 5.0.3 will be used in Aspose.Slides 23.1. This release will be published in the second half of January.

Amjad_Sahi · January 4, 2023, 11:41am

@devtbs,

For Aspose.Cells, we will update the version of System.Drawing.Common. We list down the new enhancements/changes in our upcoming version:

Aspose.Cells for .NET7 will be included in Aspose.Cells v23.1 that would refer to System.Drawing.Common 7.0.0.
Aspose.Cells for .NET6 library will be updated to System.Drawing.Common from 4.7.0 to 7.0.0.
Aspose.Cells for .NET Standard20 will be updated to use System.Drawing.Common from 4.7.0 to 5.0.3.

aspose.notifier · January 10, 2023, 7:10am

The issues you have found earlier (filed as CELLSNET-52486) have been fixed in this update. This message was posted using Bugs notification tool by johnson.shi