All Aspose APIs/SDKs have been checked time to time for any kind of vulnerabilities (including CVE-xxxx) and we remove them internally (if found any). We recommend you to kindly try using latest versions of the APIs. Please try using Aspose APIs (latest versions) and in case you face any issues regarding security, please let us know with details (e.g., which Aspose API and version details). We will check and address it accordingly.
We are using latest Aspose total libraries (Aspose total 23.3) and Security scan is performed through MEND (Whitesource). From scan above reported vulnerabilities are reported.
More details from vulnerability reported above.
CVE-2017-5661
high severity
Vulnerable versions: < 2.2
Patched version: 2.2
CVE-2022-25647
high severity
Vulnerable versions: < 2.8.9
Patched version: 2.8.9
We have logged a ticket with an id “CELLSJAVA-45455” for your issue. We will evaluate for Aspose.Cells whether we need to upgrade the version of bouncycastle for your mentioned security vulnerability. Once we have an update on it, we will let you know.
Regarding other security vulnerabilities, we will evaluate using other Aspose APIs/SDKs and get back to you with updates.
We have also registered a ticket with ID WORDSJAVA-2863 for your problem. We will evaluate it for Aspose.Words for Java. As soon as we have an update, we will let you know.
@ask4dhananjay,
Regarding Aspose.Slides, we have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.
Issue ID(s): SLIDESJAVA-39217
You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.
Aspose.Cells for Java has upgraded the depended BouncyCastle version from 1.60 to 1.68 in Aspose.Cells for Java 23.6.
Even, in your used Aspose.Cells for Java 23.3, you can change the dependency version to use BouncyCastle version 1.68 even the lastest version 1.73(Please note, if you use v1.73, the “bcutil-*-1.73.jar” is also needed besides “bcprov-*-1.73.jar” and “bcpkix-*-1.73.jar”).
Thanks for investigating and taking actions on the vulnerability we highlighted. Also for scanning we created our own pom.xml file to scan the Aspose libraries using our security tool. However, we are not sure if that file refers all the third party libraries used by Aspose. Is it possible to share your pom.xml file so that we can cover all the libraries in the scan ?
Thanks for the details. I am able to resolve vulnerability that is reported on org.bouncycastle:bcprov-jdk15on after updating version in pom.xml to 1.68
But I am not sure where I can track following items in Aspose libraries at installation detals.
@ask4dhananjay The issue WORDSJAVA-2863 is already resolved in the current codebase. The fix will be included into the next 23.6 version of Aspose.Words for Java.
Also, there is another WORDSJAVA-2812 defect regarding org.bouncycastle:bc-fips, it is also already resolved and the fix will also be included into 23.6 version.
The SLIDESJAVA-39217 issue has been blocked by another issue. As far as I can see, our developers are actively working on the issues and will resolve them as soon as possible.
Aspose.Words for Java does not include dependencies on org.apache.xmlgraphics:fop and com.google.code.gson:gson. Other dependencies have been updated accordingly to the following versions: org.bouncycastle:bc-fips - 1.0.2.4 com.fasterxml.woodstox:woodstox-core - 6.5.2
You can download aspose-pdf-23.5-java.zip from the Package Explorer in Aspose Downloads section. This .zip contains files that have all the information about third party APIs and licenses.
Furthermore,
org.apache.xmlgraphics:fop
CVE-2017-5661
Severity : High
We don’t use Apache.
com.google.code.gson:gson
CVE-2022-25647
Severity : High
We have task to updates bouncycastle , as soon as new version of FIPS for bouncycastle will be released. The task PDFJAVA-42406 has been logged for it.
Thanks for the details. I understand that you gave reference from Aspose for PDF only. But vulnerable third party / opensource references mentioned in this ticket are included from other Aspose libaries as well.
Also Apache referece is found in Aspose for PDF.
Aspose PDF : We can find Apache reference after extracting jar also its mentioned in “Aspose.PDF for Java .Agreements.pdf” located in META-INF. Same can be referenced in Slides and Html libraries.
Other references I identified -
Aspose OMR : We can find gson refernce after extracting jar.
Aspose Words : Woodstox Streaming XML parser is referencd.
From your reply “This .zip contains files that have all the information about third party APIs and licenses.” - I am not able to locate third party resource details (incl artifacts and version) after extracting zip/jar. It would be helpful if you give reference like pom.xml that includes these dependencies. (for other Aspose libaries also [word, slides, OMR, … etc])