Hi team,
We have integrated with Aspose Slides in our Production Systems.
However, our application has identified a vulnerability with the following package in Aspose Slides -
System.Security.Cryptography.X509Certificates.dll:4.700.22.56512
This is the recommended package -
pkg:generic/System.Security.Cryptography.X509Certificates.dll@5.0.20.11201?nexusnamespace=Microsoft%20Corporation%2FMicrosoft%C2%AE%20.NET%20Core&nexustype=pecoff
Cause of vulnerability - cve-details
The vulnerability is caused by X.509 chain building APIs that do not completely validate the X.509 certificate due to a logic flaw.
This is a major blocker for us, it is causing the CLM Scans across all our applications to fail.
Can you please fix this at the earliest, and replace the package ?
Thanks,
Sukriti
@sukritisehgal
Can you please provide more details about the specific issue you are facing with the vulnerability in Aspose Slides and how it is affecting your application?
We use SonaType CLM to scan a project’s dependencies for known vulnerabilities and policy violations. As part of this scan, System.Security.Cryptography.X509Certificates.dll:4.700.22.56512 package is flagged as a vulnerability blocking our development processes.
This package is part of the Aspose Slides library. We have tried adding the recommended package separately and even removing the vulnerable package from Aspose Slides but have run into multiple issues.
@sukritisehgal,
Thank you for reporting the issue.
We have opened the following new ticket(s) in our internal issue tracking system and will investigate the case according to the terms mentioned in Free Support Policies.
Issue ID(s): SLIDESNET-45085
You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.
Hi Andrey,
Is there an ETA for this to be fixed ?
@sukritisehgal,
The issue is still open. Unfortunately, I don’t have any additional information yet. We will keep you updated. Thank you for your patience.
@sukritisehgal,
Aspose.Slides for .NET does not directly use the System.Security.Cryptography.X509Certificates assembly; accordingly, we do not explicitly reference version 4.700.22.56512.
Moreover, Aspose.Slides for .NET is currently built for multiple target frameworks: .NET Framework 2.0/3.5/4.0, .NET Standard 2.0, and .NET 6. Each build relies on its own set of system libraries with different versions.
Therefore, to accurately identify the issue, we need to know exactly which Aspose.Slides.dll build you tested.
Additionally, please note the following points:
- The library reference appears unusual for a .NET environment:
pkg:generic/System.Security.Cryptography.X509Certificates.dll@5.0.20.11201?nexusnamespace=Microsoft%20Corporation%2FMicrosoft%C2%AE%20.NET%20Core&nexustype=pecoff.
- Dependency analysis is being performed with Sonatype CLM, which is not necessary for identifying dependencies in a .NET assembly.
Could you please clarify which specific product in the Aspose.Slides lineup this issue was created for?
Hi Andrey
We are using Aspose Slides for Python via .NET version 25.6.0.dist-info
We strategically use SonaType CLM to identify vulnerable dependencies in our firm and cannot get past this.
Please help us by either fixing the dependency or a version which does not have this issue.
P.S. I can share the dependency screenshot, but I am getting an error when I am trying to upload it to this thread. I am emailing it to you.
@sukritisehgal,
Thank you for the additional information. I’ve forwarded it to our developers.
The issue ID has been updated to SLIDESPYNET-292.
Thanks
Please let us know the resolution steps.
@sukritisehgal,
Sure, we will keep you updated.
Hi Andrey,
Can you please share an ETA when we can expect this to be fixed ?
@sukritisehgal,
The issue is still open. Currently, I don’t have any additional information yet. Unfortunately, I cannot share an ETA for the fix.