CVE-2019-5032/5033/5041: Aspose Remote Code Execution Vulnerability Alert

Aspose Remote Code Execution

Recently, the Cisco Talos team released several technical analysis that Aspose.cells and Aspose.words in Aspose products have remote code execution vulnerabilities. Attackers can make a malicious file to exploit related vulnerabilities and remotely execute code after user triggers.

Vulnerability summary

Aspose.Cells Code Execution Vulnerability

CVE-2019-5032

CVSS 3.0 : 9.8

An out-of-bounds read vulnerability exists in the LabelSst record parser in the Aspose.Cells library, which can be triggered by an attacker using a special XLS file, resulting in remote code execution. The user’s action is required to successfully exploit the vulnerability.

CVE-2019-5033

CVSS 3.0 : 9.8

This vulnerability is similar to CVE-2019-5032.

  • Affected version

Aspose.Cells 19.1.0

For details, please refer to:

Aspose.Words code execution vulnerability

CVE-2019-5041

A stack overflow vulnerability exists in the EnumMetaInfo function of version 18.11.0.0 of the Aspose Aspose.Words library. A specially crafted doc file can cause a stack overflow, which can result in remote code execution. An attacker needs a file tailored to the victim to trigger this vulnerability.

  • Affected version:

Aspose.Words 18.11.0.0

For details, please refer to:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0805

Solution

According to the researcher’s instructions, Aspose officials have not responded to the above vulnerabilities, nor have they released relevant patches to fix the above vulnerabilities.