CVE-2025-10703_CVE-2025-10703

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion.

The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to. If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file. If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served. The attacker could fetch the resource from the server causing the java script to be executed.

This issue affects:

DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541

DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833

DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628

DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279

DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344

DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063

DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964

DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525

DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410
DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727
DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851

DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198

DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957

DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587

DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669

DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364

DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776

DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458

DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316

DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309
DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856

DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189

DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125
DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired

DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858

DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162

DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856

DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430

DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023

DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339
DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430

DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183

DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022

AI Analysis

AI processing failed - no valid JSON found

Basic Information

ID CVE-2025-10703

Source ProgressSoftware

Published Nov 19, 2025 at 15:47

Modified Nov 19, 2025 at 16:48

Affected Product

Vendor Progress

Product DataDirect Connect for JDBC for Amazon Redshift

Affected Versions Progress DataDirect Connect for JDBC for Amazon Redshift 0
Progress DataDirect Connect for JDBC for Apache Cassandra 0
Progress DataDirect Connect for JDBC for Hive 0
Progress DataDirect Connect for JDBC for Apache Impala 0
Progress DataDirect Connect for JDBC for Apache SparkSQL 0
Progress DataDirect Connect for JDBC Autonomous REST Connector 0
Progress DataDirect Connect for JDBC for DB2 0
Progress DataDirect Connect for JDBC for Google Analytics 4 0
Progress DataDirect Connect for JDBC for Google BigQuery 0
Progress DataDirect Connect for JDBC for Greenplum 0
Progress DataDirect Connect for JDBC for Informix 0
Progress DataDirect Connect for JDBC for Microsoft Dynamics 365 0
Progress DataDirect Connect for JDBC for Microsoft SQLServer 0
Progress DataDirect Connect for JDBC for Microsoft Sharepoint 0
Progress DataDirect Connect for JDBC for MongoDB 0
Progress DataDirect Connect for JDBC for MySQL 0
Progress DataDirect Connect for JDBC for Oracle Database 0
Progress DataDirect Connect for JDBC for Oracle Eloqua 0
Progress DataDirect Connect for JDBC for Oracle Sales Cloud 0
Progress DataDirect Connect for JDBC for Oracle Service Cloud 0
Progress DataDirect Connect for JDBC for PostgreSQL 0
Progress DataDirect Connect for JDBC for Progress OpenEdge 0
Progress DataDirect Connect for JDBC for Salesforce 0
Progress DataDirect Connect for JDBC for SAP HANA 0
Progress DataDirect Connect for JDBC for SAP S/4 HANA 0
Progress DataDirect Connect for JDBC for Sybase ASE 0
Progress DataDirect Connect for JDBC for Snowflake 0
Progress DataDirect Hybrid Data Pipeline Server 0
Progress DataDirect Hybrid Data Pipeline JDBC Driver 0
Progress DataDirect Hybrid Data Pipeline On Premises Connector 0
Progress DataDirect Hybrid Data Pipeline Docker 0
Progress DataDirect OpenAccess JDBC Driver 0
Progress DataDirect OpenAccess JDBC Driver 0

CWE Classification

CWE-94

References

community.progress.com /s/article/Progress-DataDirect-Critical-Security-Product-Alert-Bulletin-November-2025

{
    "lastseen": "",
    "description": "Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion.\n\nThe SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to.\u00a0 If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file.\u00a0 If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served.\u00a0 The attacker could fetch the resource from the server causing the java script to be executed.\n\n\n\n\n\nThis issue affects:\n\n\n\nDataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541\n\nDataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833\n\nDataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628\n\nDataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279\n\nDataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344\n\nDataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063\n\nDataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964\n\nDataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525\n\nDataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410\nDataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727\nDataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851\n\n\nDataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198\n\nDataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957\n\nDataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587\n\nDataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669\n\nDataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364\n\nDataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776\n\nDataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458\n\nDataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316\n\nDataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309\nDataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856\n\n\nDataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189\n\nDataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125\nDataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired\n\nDataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858\n\nDataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162\n\nDataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856\n\nDataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430\n\nDataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023\n\nDataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339\nDataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430\n\nDataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183\n\nDataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022",
    "published": "2025-11-19T15:47:07.908Z",
    "modified": "2025-11-19T16:48:26.979Z",
    "type": "cve",
    "title": "CVE-2025-10703",
    "source": "ProgressSoftware",
    "references": "https://community.progress.com/s/article/Progress-DataDirect-Critical-Security-Product-Alert-Bulletin-November-2025",
    "id": "CVE-2025-10703",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "Progress DataDirect Connect for JDBC for Amazon Redshift 0\nProgress DataDirect Connect for JDBC for Apache Cassandra 0\nProgress DataDirect Connect for JDBC for Hive 0\nProgress DataDirect Connect for JDBC for Apache Impala 0\nProgress DataDirect Connect for JDBC for Apache SparkSQL 0\nProgress DataDirect Connect for JDBC Autonomous REST Connector 0\nProgress DataDirect Connect for JDBC for DB2 0\nProgress DataDirect Connect for JDBC for Google Analytics 4 0\nProgress DataDirect Connect for JDBC for Google BigQuery 0\nProgress DataDirect Connect for JDBC for Greenplum 0\nProgress DataDirect Connect for JDBC for Informix 0\nProgress DataDirect Connect for JDBC for Microsoft Dynamics 365 0\nProgress DataDirect Connect for JDBC for Microsoft SQLServer 0\nProgress DataDirect Connect for JDBC for Microsoft Sharepoint 0\nProgress DataDirect Connect for JDBC for MongoDB 0\nProgress DataDirect Connect for JDBC for MySQL 0\nProgress DataDirect Connect for JDBC for Oracle Database 0\nProgress DataDirect Connect for JDBC for Oracle Eloqua 0\nProgress DataDirect Connect for JDBC for Oracle Sales Cloud 0\nProgress DataDirect Connect for JDBC for Oracle Service Cloud 0\nProgress DataDirect Connect for JDBC for PostgreSQL 0\nProgress DataDirect Connect for JDBC for Progress OpenEdge 0\nProgress DataDirect Connect for JDBC for Salesforce 0\nProgress DataDirect Connect for JDBC for SAP HANA 0\nProgress DataDirect Connect for JDBC for SAP S/4 HANA 0\nProgress DataDirect Connect for JDBC for Sybase ASE 0\nProgress DataDirect Connect for JDBC for Snowflake 0\nProgress DataDirect Hybrid Data Pipeline Server 0\nProgress DataDirect Hybrid Data Pipeline JDBC Driver 0\nProgress DataDirect Hybrid Data Pipeline On Premises Connector 0\nProgress DataDirect Hybrid Data Pipeline Docker 0\nProgress DataDirect OpenAccess JDBC Driver 0\nProgress DataDirect OpenAccess JDBC Driver 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "DataDirect Connect for JDBC for Amazon Redshift",
    "version": "0",
    "vendor": "Progress",
    "ai_description": "AI processing failed - no valid JSON found",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}