プラットフォーム
docker
コンポーネント
docker
修正版
6.0.1
6.0.1
6.0.2
6.0.1
6.0.2
6.0.2
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.1.1
5.1.5
6.0.1
6.0.1
6.0.1
5.1.5
6.0.1
5.1.5
6.0.1
6.0.1
6.0.2
5.1.5
6.0.2
4.6.3
4.6.3
4.6.3
4.6.3
8.1.1
9.0.1
CVE-2025-10702 describes a Code Injection vulnerability affecting Progress DataDirect Connect for JDBC, DataDirect Open Access JDBC, and DataDirect Hybrid Data Pipeline JDBC drivers. This vulnerability allows for Remote Code Inclusion (RCI) through the exploitation of an undocumented syntax within the SpyAttribute connection option. Affected versions are those prior to the patch released on 2025-11-19. Immediate action is recommended to prevent potential compromise.
The vulnerability lies in the improper handling of the SpyAttribute connection option. This option, intended for debugging and monitoring purposes, contains an undocumented syntax that attackers can exploit. By crafting malicious input for this option, an attacker can inject and execute arbitrary code on the server hosting the JDBC driver. This could lead to complete system compromise, including data exfiltration, privilege escalation, and the installation of persistent malware. The blast radius extends to any application utilizing these JDBC drivers, particularly those allowing user-controlled input to influence connection parameters. This is similar in concept to other JDBC injection vulnerabilities where improperly sanitized connection strings are exploited.
CVE-2025-10702 was publicly disclosed on 2025-11-19. The EPSS score is currently pending evaluation, but the nature of the vulnerability (Remote Code Inclusion) suggests a potentially high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's severity warrants immediate attention. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Applications utilizing Progress DataDirect JDBC drivers, particularly those deployed in environments where user-supplied data is used to configure JDBC connections, are at risk. Shared hosting environments where multiple applications share the same JDBC driver instance are especially vulnerable, as a compromise in one application could potentially affect others.
• linux / server:
journalctl -u jdbcdriver | grep "SpyAttribute"• generic web:
curl 'jdbc_endpoint/?SpyAttribute=malicious_code' -v | grep 'SpyAttribute='• database (mysql, redis, mongodb, postgresql): While this is a JDBC driver vulnerability, check for unusual JDBC connection strings in configuration files.
-- (Example - MySQL) - Inspect connection string for SpyAttribute
SHOW VARIABLES LIKE 'jdbc_connection_string';disclosure
patch
エクスプロイト状況
EPSS
0.35% (57% パーセンタイル)
CISA SSVC
The primary mitigation is to upgrade to a patched version of the DataDirect JDBC drivers. Progress has released a fix on 2025-11-19; ensure your environment is updated to this version or later. As a temporary workaround, if upgrading is not immediately feasible, consider disabling the SpyAttribute option entirely if it is not essential for your application's functionality. Review your application's code to ensure that any user-supplied data used in constructing JDBC connection strings is properly validated and sanitized. Implement Web Application Firewall (WAF) rules to block requests containing suspicious patterns in the SpyAttribute parameter.
Progress DataDirect Connect for JDBC、DataDirect Open Access JDBC ドライバ、および Hybrid Data Pipeline のドライバを最新バージョンにアップデートしてください。これにより、コードインジェクションの脆弱性が修正されます。詳細と具体的なアップデート手順については、Progress セキュリティアドバイザリを参照してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-10702 is a Code Injection vulnerability affecting Progress DataDirect JDBC drivers, allowing Remote Code Inclusion through the SpyAttribute connection option.
You are affected if you are using Progress DataDirect JDBC drivers prior to version 2025-11-19 and the SpyAttribute option is enabled or potentially accessible to user input.
Upgrade to a patched version of the DataDirect JDBC drivers released on 2025-11-19 or later. As a temporary workaround, disable the SpyAttribute option if it's not essential.
No public exploitation has been confirmed, but the vulnerability's severity warrants immediate attention and proactive mitigation.
Refer to the Progress Security Advisory for detailed information and the latest updates: [https://www.progress.com/security-advisories](https://www.progress.com/security-advisories)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
Dockerfile ファイルをアップロードすると、影響の有無を即座にお知らせします。