CVE-2019-5032/5033/5041: Aspose Remote Code Execution Vulnerability Alert

Recently, the Cisco Talos team released several technical analysis that Aspose.cells and Aspose.words in Aspose products have remote code execution vulnerabilities. Attackers can make a malicious file to exploit related vulnerabilities and remotely execute code after user triggers.

Vulnerability summary

Aspose.Cells Code Execution Vulnerability

CVE-2019-5032

CVSS 3.0 : 9.8

An out-of-bounds read vulnerability exists in the LabelSst record parser in the Aspose.Cells library, which can be triggered by an attacker using a special XLS file, resulting in remote code execution. The user’s action is required to successfully exploit the vulnerability.

CVE-2019-5033

CVSS 3.0 : 9.8

This vulnerability is similar to CVE-2019-5032.

  • Affected version

Aspose.Cells 19.1.0

For details, please refer to:

Aspose.Words code execution vulnerability

CVE-2019-5041

A stack overflow vulnerability exists in the EnumMetaInfo function of version 18.11.0.0 of the Aspose Aspose.Words library. A specially crafted doc file can cause a stack overflow, which can result in remote code execution. An attacker needs a file tailored to the victim to trigger this vulnerability.

  • Affected version:

Aspose.Words 18.11.0.0

For details, please refer to:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0805

Solution

According to the researcher’s instructions, Aspose officials have not responded to the above vulnerabilities, nor have they released relevant patches to fix the above vulnerabilities.