An IBM SPSS Statistics scripts permissions error can allow local users to gain elevated privileges, the company is reporting.
IBM's bulletin reported the vulnerability (CVE-2015-7489) on December 29. The report said the issue impacts IBM SPSS Statistics versions 220.127.116.11 and 18.104.22.168, which use a python scripts that have write permissions to Everyone. This would allow a local user to add malicious OS commands to the python code.
“These command will later be executed in case another user (for example an administrator) opens SPSS and uses that module,” IBM said in the bulletin.
IBM has issued interim fixes, 22.214.171.124-10 and 126.96.36.199-7 188.8.131.52-7, for both versions of the affected software.
IBM SPSS Statistics is a family of analytical products to include planning, data collection and analysis.