CVE-2019-5033

Vulnerability

A vulnerability exists in the Number record parser of Aspose.Cells for C++ version 19.1.0. The library processes specially crafted XLS files; when parsing a malformed Number record, an out-of-bounds read occurs [1]. This leads to memory corruption that an attacker can leverage for remote code execution. Affected product: Aspose.Cells for C++ 19.1.0 [1].

Exploitation

An attacker must provide a malformed XLS file to a victim using an application that relies on the Aspose.Cells library (e.g., for file conversion). No user interaction beyond opening or processing the file is required [1]. The vulnerability is triggered when the library attempts to parse the crafted Number record, resulting in an access violation as demonstrated by the crash analysis [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the process using the library. This can lead to full compromise of confidentiality, integrity, and availability (CIA) [1]. The CVSSv3 score is 9.8 (Critical) with network attack vector, low attack complexity, no privileges required, and no user interaction [1].

Mitigation

As of the publication date (2019-08-21), Aspose has released a fix in version 19.2 or later [1]. Users should upgrade to a patched version. The product is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. No workaround is available other than upgrading [1].