平台
docker
组件
docker
修复版本
6.0.1
6.0.1
6.0.2
6.0.1
6.0.2
6.0.2
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.1.1
5.1.5
6.0.1
6.0.1
6.0.1
5.1.5
6.0.1
5.1.5
6.0.1
6.0.1
6.0.2
5.1.5
6.0.2
4.6.3
4.6.3
4.6.3
4.6.3
8.1.1
9.0.1
CVE-2025-10702 describes a Code Injection vulnerability affecting Progress DataDirect Connect for JDBC, DataDirect Open Access JDBC, and DataDirect Hybrid Data Pipeline JDBC drivers. This vulnerability allows for Remote Code Inclusion (RCI) through the exploitation of an undocumented syntax within the SpyAttribute connection option. Affected versions are those prior to the patch released on 2025-11-19. Immediate action is recommended to prevent potential compromise.
The vulnerability lies in the improper handling of the SpyAttribute connection option. This option, intended for debugging and monitoring purposes, contains an undocumented syntax that attackers can exploit. By crafting malicious input for this option, an attacker can inject and execute arbitrary code on the server hosting the JDBC driver. This could lead to complete system compromise, including data exfiltration, privilege escalation, and the installation of persistent malware. The blast radius extends to any application utilizing these JDBC drivers, particularly those allowing user-controlled input to influence connection parameters. This is similar in concept to other JDBC injection vulnerabilities where improperly sanitized connection strings are exploited.
CVE-2025-10702 was publicly disclosed on 2025-11-19. The EPSS score is currently pending evaluation, but the nature of the vulnerability (Remote Code Inclusion) suggests a potentially high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's severity warrants immediate attention. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Applications utilizing Progress DataDirect JDBC drivers, particularly those deployed in environments where user-supplied data is used to configure JDBC connections, are at risk. Shared hosting environments where multiple applications share the same JDBC driver instance are especially vulnerable, as a compromise in one application could potentially affect others.
• linux / server:
journalctl -u jdbcdriver | grep "SpyAttribute"• generic web:
curl 'jdbc_endpoint/?SpyAttribute=malicious_code' -v | grep 'SpyAttribute='• database (mysql, redis, mongodb, postgresql): While this is a JDBC driver vulnerability, check for unusual JDBC connection strings in configuration files.
-- (Example - MySQL) - Inspect connection string for SpyAttribute
SHOW VARIABLES LIKE 'jdbc_connection_string';disclosure
patch
漏洞利用状态
EPSS
0.35% (57% 百分位)
CISA SSVC
The primary mitigation is to upgrade to a patched version of the DataDirect JDBC drivers. Progress has released a fix on 2025-11-19; ensure your environment is updated to this version or later. As a temporary workaround, if upgrading is not immediately feasible, consider disabling the SpyAttribute option entirely if it is not essential for your application's functionality. Review your application's code to ensure that any user-supplied data used in constructing JDBC connection strings is properly validated and sanitized. Implement Web Application Firewall (WAF) rules to block requests containing suspicious patterns in the SpyAttribute parameter.
将 Progress DataDirect Connect for JDBC、DataDirect Open Access JDBC 驱动程序和 Hybrid Data Pipeline 驱动程序更新到最新可用版本。 这将修复代码注入漏洞。 请参阅 Progress 安全公告以获取更多详细信息和特定的更新说明。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-10702 is a Code Injection vulnerability affecting Progress DataDirect JDBC drivers, allowing Remote Code Inclusion through the SpyAttribute connection option.
You are affected if you are using Progress DataDirect JDBC drivers prior to version 2025-11-19 and the SpyAttribute option is enabled or potentially accessible to user input.
Upgrade to a patched version of the DataDirect JDBC drivers released on 2025-11-19 or later. As a temporary workaround, disable the SpyAttribute option if it's not essential.
No public exploitation has been confirmed, but the vulnerability's severity warrants immediate attention and proactive mitigation.
Refer to the Progress Security Advisory for detailed information and the latest updates: [https://www.progress.com/security-advisories](https://www.progress.com/security-advisories)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 Dockerfile 文件,立即知道是否受影响。