Vulnerability Name:

CVE-2015-8530 (CCN-109209)

Assigned:2015-12-08
Published:2016-05-05
Updated:2019-02-14
Summary:Stack-based buffer overflow in the Initialize function in an ActiveX control in IBM SPSS Statistics 19 and 20 before 20.0.0.2-IF0008, 21 before 21.0.0.2-IF0010, 22 before 22.0.0.2-IF0011, 23 before 23.0.0.3-IF0001, and 24 before 24.0.0.0-IF0003 allows remote authenticated users to execute arbitrary code via a long argument.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2015-8530

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21982035

Source: CCN
Type: IBM Security Bulletin 1982035 (SPSS Statistics)
IBM SPSS Statistics ActiveX Control Buffer Overflow (CVE-2015-8530)

Source: BID
Type: Third Party Advisory, VDB Entry
90524

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1035867

Source: XF
Type: UNKNOWN
ibm-spss-cve20158530-bo(109209)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:spss_statistics:*:*:*:*:*:*:*:* (Version >= 19.0.0.0 and <= 19.0.0.2)
  • OR cpe:/a:ibm:spss_statistics:*:*:*:*:*:*:*:* (Version >= 20.0.0.0 and < 20.0.0.2)
  • OR cpe:/a:ibm:spss_statistics:*:*:*:*:*:*:*:* (Version >= 21.0.0.0 and < 21.0.0.2)
  • OR cpe:/a:ibm:spss_statistics:*:*:*:*:*:*:*:* (Version >= 22.0.0.0 and < 22.0.0.2)
  • OR cpe:/a:ibm:spss_statistics:*:*:*:*:*:*:*:* (Version >= 23.0.0.0 and < 23.0.0.3)
  • OR cpe:/a:ibm:spss_statistics:24.0.0.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:spss_statistics:21.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_statistics:22.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_statistics:20.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_statistics:23.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_statistics:24.0.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm spss statistics *
    ibm spss statistics *
    ibm spss statistics *
    ibm spss statistics *
    ibm spss statistics *
    ibm spss statistics 24.0.0.0
    ibm spss statistics 21.0.0.2
    ibm spss statistics 22.0
    ibm spss statistics 20.0.0.2
    ibm spss statistics 23.0.0.2
    ibm spss statistics 24.0.0.0