CVE-2025-10703

Summary

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion.

The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to.  If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file.  If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served.  The attacker could fetch the resource from the server causing the java script to be executed.

This issue affects:

DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541

DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833

DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628

DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279

DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344

DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063

DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964

DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525

DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851

DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198

DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957

DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587

DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669

DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364

DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776

DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458

DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316

DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856

DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189

DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired

DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858

DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162

DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856

DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430

DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023

DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430

DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183

DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022

Affected Software

VendorProductVersion RangeStatus
ProgressDataDirect Connect for JDBC for Amazon Redshift0 <= 6.0.0.001392affected
ProgressDataDirect Connect for JDBC for Amazon Redshift6.0.0.001541unaffected
ProgressDataDirect Connect for JDBC for Apache Cassandra0 <= 6.0.0.000805affected
ProgressDataDirect Connect for JDBC for Apache Cassandra6.0.0.000833unaffected
ProgressDataDirect Connect for JDBC for Hive0 <= 6.0.1.001499affected
ProgressDataDirect Connect for JDBC for Hive6.0.1.001628unaffected
ProgressDataDirect Connect for JDBC for Apache Impala0 <= 6.0.0.001155affected
ProgressDataDirect Connect for JDBC for Apache Impala6.0.0.1279unaffected
ProgressDataDirect Connect for JDBC for Apache SparkSQL0 <= 6.0.1.001222affected
ProgressDataDirect Connect for JDBC for Apache SparkSQL6.0.1.001344unaffected
ProgressDataDirect Connect for JDBC Autonomous REST Connector0 <= 6.0.1.006961affected
ProgressDataDirect Connect for JDBC Autonomous REST Connector6.0.1.007063unaffected
ProgressDataDirect Connect for JDBC for DB20 <= 6.0.0.000717affected
ProgressDataDirect Connect for JDBC for DB26.0.0.000964unaffected
ProgressDataDirect Connect for JDBC for Google Analytics 40 <= 6.0.0.000454affected
ProgressDataDirect Connect for JDBC for Google Analytics 46.0.0.000525unaffected
ProgressDataDirect Connect for JDBC for Google BigQuery0 <= 6.0.0.002279affected
ProgressDataDirect Connect for JDBC for Google BigQuery6.0.0.002410unaffected
ProgressDataDirect Connect for JDBC for Greenplum0 <= 6.0.0.001712affected
ProgressDataDirect Connect for JDBC for Greenplum6.0.0.001727unaffected
ProgressDataDirect Connect for JDBC for Informix0 <= 6.0.0.000690affected
ProgressDataDirect Connect for JDBC for Informix6.0.0.000851unaffected
ProgressDataDirect Connect for JDBC for Microsoft Dynamics 3650 <= 6.0.0.003161affected
ProgressDataDirect Connect for JDBC for Microsoft Dynamics 3656.0.0.003198unaffected
ProgressDataDirect Connect for JDBC for Microsoft SQLServer0 <= 6.0.0.001936affected
ProgressDataDirect Connect for JDBC for Microsoft SQLServer6.0.0.001957unaffected
ProgressDataDirect Connect for JDBC for Microsoft Sharepoint0 <= 6.0.0.001559affected
ProgressDataDirect Connect for JDBC for Microsoft Sharepoint6.0.0.001587unaffected
ProgressDataDirect Connect for JDBC for MongoDB0 <= 6.1.0.001654affected
ProgressDataDirect Connect for JDBC for MongoDB6.1.0.001669unaffected
ProgressDataDirect Connect for JDBC for MySQL0 <= 5.1.4.000330affected
ProgressDataDirect Connect for JDBC for MySQL5.1.4.000364unaffected
ProgressDataDirect Connect for JDBC for Oracle Database0 <= 6.0.0.001747affected
ProgressDataDirect Connect for JDBC for Oracle Database6.0.0.001776unaffected
ProgressDataDirect Connect for JDBC for Oracle Eloqua0 <= 6.0.0.001438affected
ProgressDataDirect Connect for JDBC for Oracle Eloqua6.0.0.001458unaffected
ProgressDataDirect Connect for JDBC for Oracle Sales Cloud0 <= 6.0.0.001225affected
ProgressDataDirect Connect for JDBC for Oracle Sales Cloud6.0.0.001316unaffected
ProgressDataDirect Connect for JDBC for Oracle Service Cloud0 <= 5.1.4.000298affected
ProgressDataDirect Connect for JDBC for Oracle Service Cloud5.1.4.000309unaffected
ProgressDataDirect Connect for JDBC for PostgreSQL0 <= 6.0.0.001843affected
ProgressDataDirect Connect for JDBC for PostgreSQL6.0.0.001856unaffected
ProgressDataDirect Connect for JDBC for Progress OpenEdge0 <= 5.1.4.000187affected
ProgressDataDirect Connect for JDBC for Progress OpenEdge5.1.4.000189unaffected
ProgressDataDirect Connect for JDBC for Salesforce0 <= 6.0.0.003020affected
ProgressDataDirect Connect for JDBC for Salesforce6.0.0.003125unaffected
ProgressDataDirect Connect for JDBC for SAP HANA0 <= 6.0.0.000879affected
ProgressDataDirect Connect for JDBC for SAP S/4 HANA0 <= 6.0.0.001818affected
ProgressDataDirect Connect for JDBC for SAP S/4 HANA6.0.1.001858unaffected
ProgressDataDirect Connect for JDBC for Sybase ASE0 <= 5.1.4.000161affected
ProgressDataDirect Connect for JDBC for Sybase ASE5.1.4.000162unaffected
ProgressDataDirect Connect for JDBC for Snowflake0 <= 6.0.1.001821affected
ProgressDataDirect Connect for JDBC for Snowflake6.0.1.001856unaffected
ProgressDataDirect Hybrid Data Pipeline Server0 <= 4.6.2.3309affected
ProgressDataDirect Hybrid Data Pipeline Server4.6.2.3430unaffected
ProgressDataDirect Hybrid Data Pipeline JDBC Driver0 <= 4.6.2.0607affected
ProgressDataDirect Hybrid Data Pipeline JDBC Driver4.6.2.1023unaffected
ProgressDataDirect Hybrid Data Pipeline On Premises Connector0 <= 4.6.2.1223affected
ProgressDataDirect Hybrid Data Pipeline On Premises Connector4.6.2.1339unaffected
ProgressDataDirect Hybrid Data Pipeline Docker0 <= 4.6.2.3316affected
ProgressDataDirect Hybrid Data Pipeline Docker4.6.2.3430unaffected
ProgressDataDirect OpenAccess JDBC Driver0 <= 8.1.0.0177affected
ProgressDataDirect OpenAccess JDBC Driver8.1.0.0183unaffected
ProgressDataDirect OpenAccess JDBC Driver0 <= 9.0.0.0019affected
ProgressDataDirect OpenAccess JDBC Driver9.0.0.0022unaffected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References