Security Bulletin: IBM SPSS Statistics Java SE Vulnerability Updates

Summary Denial of service, unauthorized access and buffer size vulnerabilities have been addressed. Addresses Java CVEs: CVE-2026-21945, CVE-2026-21932, CVE-2026-21933, CVE-2026-21925, CVE-2026-1188, CVE-2025-2900 and CVE-2025-4447. Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE ...

EUVD-2015-7413

Malware in sbrugna...

EUVD-2015-0178

Malware in sbrugna...

EUVD-2021-25396

Malware in sbrugna...

EUVD-2015-8411

Malware in sbrugna...

EUVD-2024-29754

Malicious code in bioql PyPI...

EUVD-2022-46825

Malicious code in bioql PyPI...

Security Bulletin: Update JRE for Older Versions of IBM SPSS Statistics

Summary Vulnerabilities related to encryption were found in older versions of the Java Runtime Environment JRE. This Interim Fix addresses those problems. The IF applies to all applicable Java SE CVEs published by Oracle as part of their April 2025 Critical Patch Update plus CVE-2025-4447...

Security Bulletin: Update JRE for Older Versions of IBM SPSS Statistics

Summary Vulnerabilities related to encryption were found in older versions of the Java Runtime Environment JRE. This Interim Fix addresses those problems. The IF applies to all applicable Java SE CVEs published by Oracle as part of their April 2025 Critical Patch Update plus CVE-2025-4447...

CVE-2022-43855

IBM SPSS Statistics 26.0, 27.0.1, and 28.0 IO Module could allow a local user to create multiple files that could exhaust the file handles capacity and cause a denial of service...

CVE-2024-31896

IBM SPSS Statistics 26.0, 27.0.1, 28.0.1, and 29.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information...

IBM SPSS Statistics Encryption Problem Vulnerability

IBM Spss Statistics is a software package from International Business Machines IBM, Inc. It is used for interactive or batch statistical analysis. An encryption issue vulnerability exists in IBM SPSS Statistics versions 26.0, 27.0.1, 28.0.1, and 29.0.2, which stems from the use of a weak encrypti...

CVE-2024-31896

IBM SPSS Statistics 26.0, 27.0.1, 28.0.1, and 29.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information...

CVE-2024-31896

IBM SPSS Statistics 26.0, 27.0.1, 28.0.1, and 29.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information...

CVE-2024-31896 IBM SPSS Statistics information disclosure

IBM SPSS Statistics 26.0, 27.0.1, 28.0.1, and 29.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information...

CVE-2024-31896 IBM SPSS Statistics information disclosure

IBM SPSS Statistics 26.0, 27.0.1, 28.0.1, and 29.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information...

CVE-2024-31896

CVE-2024-31896 affects IBM SPSS Statistics versions 26.0, 27.0.1, 28.0.1, and 29.0.2. The issue stems from the use of weaker cryptographic algorithms (notably SHA-1 cipher suites), which could allow an attacker to decrypt highly sensitive information. The IBM security bulletin notes the vulnerabi...

Security Bulletin: SHA-1 cipher suites detected in older versions of SPSS Statistics (CVE-2024-31896)

Summary The Statistics server supports SHA-1 cipher suites. SHA-1 was officially deprecated by NIST in 2011, but many applications still rely on it. Up until 2017, only theoretical attacks have been known against SHA-1, which is why many applications still rely on it. Recently, a practical attack...

Security Bulletin: Apache axis.jar is present in older Statistics releases that use IBM SPSS C&DS

Summary Apache Axis is vulnerable to server-side request forgery, caused by a improper input validation by the service admin HTTP API. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack. Customers using IBM SPSS Statistics versions 26-29 wi...

Security Bulletin: R statistical programming language - deserialization of untrusted leading to arbitrary code execution

Summary Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS R Data Serialization formatted file or R package to run arbitrary code on an end user's system when...