Plateforme
docker
Composant
docker
Corrigé dans
6.0.1
6.0.1
6.0.2
6.0.1
6.0.2
6.0.2
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.1.1
5.1.5
6.0.1
6.0.1
6.0.1
5.1.5
6.0.1
5.1.5
6.0.1
6.0.1
6.0.2
5.1.5
6.0.2
4.6.3
4.6.3
4.6.3
4.6.3
8.1.1
9.0.1
CVE-2025-10702 describes a Code Injection vulnerability affecting Progress DataDirect Connect for JDBC, DataDirect Open Access JDBC, and DataDirect Hybrid Data Pipeline JDBC drivers. This vulnerability allows for Remote Code Inclusion (RCI) through the exploitation of an undocumented syntax within the SpyAttribute connection option. Affected versions are those prior to the patch released on 2025-11-19. Immediate action is recommended to prevent potential compromise.
The vulnerability lies in the improper handling of the SpyAttribute connection option. This option, intended for debugging and monitoring purposes, contains an undocumented syntax that attackers can exploit. By crafting malicious input for this option, an attacker can inject and execute arbitrary code on the server hosting the JDBC driver. This could lead to complete system compromise, including data exfiltration, privilege escalation, and the installation of persistent malware. The blast radius extends to any application utilizing these JDBC drivers, particularly those allowing user-controlled input to influence connection parameters. This is similar in concept to other JDBC injection vulnerabilities where improperly sanitized connection strings are exploited.
CVE-2025-10702 was publicly disclosed on 2025-11-19. The EPSS score is currently pending evaluation, but the nature of the vulnerability (Remote Code Inclusion) suggests a potentially high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's severity warrants immediate attention. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Applications utilizing Progress DataDirect JDBC drivers, particularly those deployed in environments where user-supplied data is used to configure JDBC connections, are at risk. Shared hosting environments where multiple applications share the same JDBC driver instance are especially vulnerable, as a compromise in one application could potentially affect others.
• linux / server:
journalctl -u jdbcdriver | grep "SpyAttribute"• generic web:
curl 'jdbc_endpoint/?SpyAttribute=malicious_code' -v | grep 'SpyAttribute='• database (mysql, redis, mongodb, postgresql): While this is a JDBC driver vulnerability, check for unusual JDBC connection strings in configuration files.
-- (Example - MySQL) - Inspect connection string for SpyAttribute
SHOW VARIABLES LIKE 'jdbc_connection_string';disclosure
patch
Statut de l'Exploit
EPSS
0.35% (percentile 57%)
CISA SSVC
The primary mitigation is to upgrade to a patched version of the DataDirect JDBC drivers. Progress has released a fix on 2025-11-19; ensure your environment is updated to this version or later. As a temporary workaround, if upgrading is not immediately feasible, consider disabling the SpyAttribute option entirely if it is not essential for your application's functionality. Review your application's code to ensure that any user-supplied data used in constructing JDBC connection strings is properly validated and sanitized. Implement Web Application Firewall (WAF) rules to block requests containing suspicious patterns in the SpyAttribute parameter.
Mettez à jour les pilotes Progress DataDirect Connect for JDBC, DataDirect Open Access JDBC driver et Hybrid Data Pipeline vers la dernière version disponible. Cela corrigera la vulnérabilité d'injection de code. Consultez la note de sécurité de Progress pour plus de détails et des instructions de mise à jour spécifiques.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-10702 is a Code Injection vulnerability affecting Progress DataDirect JDBC drivers, allowing Remote Code Inclusion through the SpyAttribute connection option.
You are affected if you are using Progress DataDirect JDBC drivers prior to version 2025-11-19 and the SpyAttribute option is enabled or potentially accessible to user input.
Upgrade to a patched version of the DataDirect JDBC drivers released on 2025-11-19 or later. As a temporary workaround, disable the SpyAttribute option if it's not essential.
No public exploitation has been confirmed, but the vulnerability's severity warrants immediate attention and proactive mitigation.
Refer to the Progress Security Advisory for detailed information and the latest updates: [https://www.progress.com/security-advisories](https://www.progress.com/security-advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier Dockerfile et nous te dirons instantanément si tu es affecté.