Aspose makes it a top priority to ensure that our products are free of any bugs which may cause security issues for customers. Our internal teams carefully analyze all releases for possible vulnerabilities and to keep on top of emerging threats.
Recently we were made aware of two vulnerability reports from security researcher Cisco Talos.
Unfortunately, there was a long delay in us receiving these reports because Cisco Talos failed to get in touch via one of the many channels on our website, but instead used incorrect email addresses. However, as soon as we were independently made aware of these reports our development teams responded quickly and we were able to release fixes to these issues within 5 business days.
All customers affected were alerted via email, however, the issues are summarised below:
Aspose.Words for C++ 19.8 or earlier
CVE Number: CVE-2019-5041
Description: An exploitable Stack Based Buffer Overflow vulnerability exists in the EnumMetaInfo function of Aspose Aspose.Words for C++.
Reported to Aspose: 23-Aug-2019
Fix Released: 29-Aug-2019
Aspose.Cells for C++ 19.4 or earlier
CVE Number: CVE-2019-5041, CVE-2019-5032
Description: An exploitable out-of-bounds read vulnerability exists in the Number record parser and LabelSst record parser of Aspose.Cells for C++.
Reported to Aspose: 23-Aug-2019
Fix Released: 29-Aug-2019
It is our assessment that the vulnerabilities would be extremely difficult for an attacker to make use of in the real world, but that does not stop us taking the issues seriously and addressing them quickly. We encourage customers of Aspose.Words for C++ and Aspose.Cells for C++ to download the latest versions from the below links:
By keeping their Aspose product support & maintenance subscription up-to-date, customers can ensure they always to get instant access to the latest bug and security fixes, as well as great new features added in every release.