IronXL - Security CVE
Please see information below regarding IronXL:
- All Iron Software products are DigiCert certified
- IronXL does not use Microsoft.Office.Interop
- IronXL does not use web services nor send data across the internet
- No COM or COM+ interfaces are exposed in the IronXL.dll
- The library is written entirely in C# which protects implicitly from many common attack vectors
- As few entry points as possible to the API are exposed
- Strong naming and sophisticated tamper protection
- Regularly scanned with multiple anti-virus/anti-malware scanners, using highest security and heuristic search for potential threats
- Every line of code goes though at least two levels of human review by senior engineers to check for security vulnerabilities
- IronXL makes no known access to un-managed code, unlike other Excel Libraries which use Office Interop
- IronXL makes use of following .NET dependencies - none of which are known to us as a security attack vector - particularly as every object is internalized to our library (static linking) with no public or external access
- System.ValueTuple
- System.Text.Encoding.CodePages
- System.Security.Principal.Windows
- System.Security.Permissions
- System.Security.Cryptography.ProtectedData
- System.Security.AccessControl
- System.Runtime.CompilerServices.Unsafe
- System.Reflection.TypeExtensions
- System.Numerics.Vectors
- System.Memory
- System.Configuration.ConfigurationManager
- System.Buffers
- Npoi
- Newtonsoft.Json
- Microsoft.Extensions.Primitives
- Microsoft.Extensions.FileSystemGlobbing
- Microsoft.Extensions.FileProviders.Physical
- Microsoft.Extensions.FileProviders.Abstractions
- Microsoft.Extensions.Configuration.Json
- Microsoft.Extensions.Configuration.FileExtensions
- Microsoft.Extensions.Configuration.Binder
- Microsoft.Extensions.Configuration.Abstractions
- Microsoft.Extensions.Configuration
- Microsoft.CSharp
- ICSharpCode.SharpZipLib
- CsvHelper