Hi,
I'm using UltimatePDF for our application, it's very convinient,
and now I find this one contains System.Text.Encodings.Web.dll.
According to MITRE(CVE-2021-26701),
System.Text.Encodings.Web has a Remote Code Execution Vulnerabilityis,
so it must be upgraded to address the issue.
My questions are below:
Please help me to resolve this concern.
Best regards,
Kazuya Iijima
Kazuya, the latest version includes System.Text.Encodings.Web 6.0.0, which is not vulnerable.
Hi Kazuya, thanks for pointing that out.
I confirm we are using System.Text.Encodings.Web 4.4.0, which is vulnerable. This is a dependency of a dependency of PuppeteerSharp (which is a dependency of Ultimate PDF), so it's hard for me to say to what extent the vulnerability can be exploited from within Ultimate PDF.
From what I have checked, there are no incompatibilities if we start using System.Text.Encodings.Web 6.0.0, which is not vulnerable. I will update the dependency on the next release.
Thanks.
Hi Leonard,
thank you for your quick answer.
I understand the situation.
(Sorry, I made a typing mistake, the version was 4.4.0, certainly)
And you kindly mentioned the next release,
if possible, could you tell me about the release schedule?
Now I'm facing a critical user requirement and need a quick solution.
I hope to use this forge
because it is much more useful than others,
and helps me very much to solve the problem.
Best regards.
I will release a new version next week.
Meanwhile, if you want to mitigate the issue, just open the UltimatePDF_Service extension, install System.Text.Encodings.Web 6.0.0 via NuGet, publish the extension, and republish the module UltimatePDF_Service.
Hi, Leonardo
Thank you for your kindness,
I will also consider updating the DLL by myself.
Leonardo, thank you so much!
I'll try the new version
Leonardo,
I installed the new version, it's working fine,
and no vulnerabilities were detected.
Thanks again for your kindness!