Vulnerability

teloscor · June 9, 2023, 12:44pm

Hi,

We were wondering if you are able to confirm if this is a valid issue or not. One of our scanners is raising an issue with files within the aspose.jar files.

Thanks.

Below is a snippet of the results:

Glasswall scanner detected issue(s) in file Aspose.Cells.Book1.xls.xml, specific issue(s) are [{“technicalDescription”:“Excel Missing”,“issueId”:“96”,“riskLevel”:“Medium”}]

Glasswall scanner detected issue(s) in file Aspose.Cells.pt.xml, specific issue(s) are [{“technicalDescription”:“End of stream \u0027presentation.xml\u0027 not reached”,“issueId”:“84148226”,“riskLevel”:“Medium”}]

Glasswall scanner detected issue(s) in file AllStyles2003.docx.xml, specific issue(s) are [{“technicalDescription”:“Embedded File present in itemProps1.xml”,“issueId”:“83951616”,“riskLevel”:“Medium”},

alexey.noskov · June 9, 2023, 1:37pm

@teloscor Regarding Aspose.Words and AllStyles2003.docx.xml file. It really contains customXml part. We will check whether it is required.

We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): WORDSNET-25512

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

amjad.sahi · June 9, 2023, 5:18pm

@teloscor,

teloscor:

Glasswall scanner detected issue(s) in file Aspose.Cells.Book1.xls.xml, specific issue(s) are [{“technicalDescription”:“Excel Missing”,“issueId”:“96”,“riskLevel”:“Medium”}]

Glasswall scanner detected issue(s) in file Aspose.Cells.pt.xml, specific issue(s) are [{“technicalDescription”:“End of stream \u0027presentation.xml\u0027 not reached”,“issueId”:“84148226”,“riskLevel”:“Medium”}]

Regarding Aspose.Cells, we need to investigate your mentioned vulnerability/issue for certain XML files. We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): CELLSJAVA-45466

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

teloscor · June 20, 2023, 6:29pm

Thank you for replies

amjad.sahi · June 20, 2023, 6:52pm

@teloscor,

We evaluated the ticket (logged earlier as “CELLSJAVA-45466”) in details. We can confirm those files are valid and will not cause vulnerabilities/issues while using Aspose.Cells as a library. Those files are just simple template files which contain template/model data for creating corresponding format files. Moreover, we will remove Aspose.Cells.Book1.xls in later versions.

aspose.notifier · July 13, 2023, 2:43pm

The issues you have found earlier (filed as WORDSNET-25512) have been fixed in this Aspose.Words for Java 23.7 update.