We have run a security scan on one of our applications that uses ASPOSE.TOTAL for .NET. We are using Apose.PDF (22.12.0), Aspose.Cells (22.12.0), Aspose.Diagram (22.12.0), Aspose.PUB (22.12.0), and Aspose.Slides.NET (22.12.0). We have adding these to our project using Nuget. All of these packages appear to be vulnerable to CWE-94 / CVE-2021-24112 that allows for remote code execution. This is considered a high vulnerability in the code scan. The issue is related to the System.Drawing.Common v5.0.2 dependency that these packages are using and it appears that this vulnerability has been patched in System.Drawing.Common v5.0.3.
There was another high risk vulnerability CWE-755 that was found in the Aspose.PDF (22.12.0) that relates to the Newtonsoft.Json dependency in Microsoft.Extension.DependencyModel.
Are you in the process of having these vulnerabilities patched and will you be able to patch these in the upcoming release?
@devtbs,
For Aspose.Slides, I’ve added a ticket with ID SLIDESNET-43684 to our issue-tracking system. Our development team will look into the issue. We will inform you of any progress.
My colleagues will reply to you soon about other Aspose products.
A ticket PDFNET-53364 has been logged for Aspose.PDF for .NET in our issue tracking system. We will inform you once there is an update available on it.
Regarding Aspose.Cells, we have added a ticket with an id “CELLSNET-52486” to evaluate your issue. We will investigate and will look into the details of the issue.
Once we have an update on it, we will let you know here.
The issues you have found earlier (filed as CELLSNET-52486) have been fixed in this update. This message was posted using Bugs notification tool by johnson.shi
The issues you found earlier (filed as SLIDESNET-43684) have been fixed in Aspose.Slides for .NET 23.1 (ZIP, MSI).
You can check all fixes on the Release Notes page.
You can also find the latest version of our library on the Product Download page.