目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

CVE-2025-10703— Progress多款产品 代码注入漏洞

EPSS 0.11% · P29
新しい脆弱性情報の通知を購読するログインして購読

I. CVE-2025-10703の基本情報

脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗

高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。

脆弱性タイトル
N/A
ソース: NVD (National Vulnerability Database)
脆弱性説明
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to.  If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file.  If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served.  The attacker could fetch the resource from the server causing the java script to be executed. This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022
ソース: NVD (National Vulnerability Database)
CVSS情報
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
对生成代码的控制不恰当(代码注入)
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Progress多款产品 代码注入漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Progress Hybrid Data Pipeline等都是美国Progress公司的产品。Progress Hybrid Data Pipeline是一个数据管道软件。Progress Hybrid Data Pipeline Server是一个数据管道服务器。Progress DataDirect Connect for JDBC是一套高性能JDBC驱动程序。 Progress多款产品存在代码注入漏洞,该漏洞源于SpyAttribute连接选项允许指定任意文件,可能导致远程代码包含。以下产品受到影
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)

影響を受ける製品

ベンダープロダクト影響を受けるバージョンCPE購読
ProgressDataDirect Connect for JDBC for Amazon Redshift 0 ~ 6.0.0.001392 -
ProgressDataDirect Connect for JDBC for Apache Cassandra 0 ~ 6.0.0.000805 -
ProgressDataDirect Connect for JDBC for Hive 0 ~ 6.0.1.001499 -
ProgressDataDirect Connect for JDBC for Apache Impala 0 ~ 6.0.0.001155 -
ProgressDataDirect Connect for JDBC for Apache SparkSQL 0 ~ 6.0.1.001222 -
ProgressDataDirect Connect for JDBC Autonomous REST Connector 0 ~ 6.0.1.006961 -
ProgressDataDirect Connect for JDBC for DB2 0 ~ 6.0.0.000717 -
ProgressDataDirect Connect for JDBC for Google Analytics 4 0 ~ 6.0.0.000454 -
ProgressDataDirect Connect for JDBC for Google BigQuery 0 ~ 6.0.0.002279 -
ProgressDataDirect Connect for JDBC for Greenplum 0 ~ 6.0.0.001712 -
ProgressDataDirect Connect for JDBC for Informix 0 ~ 6.0.0.000690 -
ProgressDataDirect Connect for JDBC for Microsoft Dynamics 365 0 ~ 6.0.0.003161 -
ProgressDataDirect Connect for JDBC for Microsoft SQLServer 0 ~ 6.0.0.001936 -
ProgressDataDirect Connect for JDBC for Microsoft Sharepoint 0 ~ 6.0.0.001559 -
ProgressDataDirect Connect for JDBC for MongoDB 0 ~ 6.1.0.001654 -
ProgressDataDirect Connect for JDBC for MySQL 0 ~ 5.1.4.000330 -
ProgressDataDirect Connect for JDBC for Oracle Database 0 ~ 6.0.0.001747 -
ProgressDataDirect Connect for JDBC for Oracle Eloqua 0 ~ 6.0.0.001438 -
ProgressDataDirect Connect for JDBC for Oracle Sales Cloud 0 ~ 6.0.0.001225 -
ProgressDataDirect Connect for JDBC for Oracle Service Cloud 0 ~ 5.1.4.000298 -
ProgressDataDirect Connect for JDBC for PostgreSQL 0 ~ 6.0.0.001843 -
ProgressDataDirect Connect for JDBC for Progress OpenEdge 0 ~ 5.1.4.000187 -
ProgressDataDirect Connect for JDBC for Salesforce 0 ~ 6.0.0.003020 -
ProgressDataDirect Connect for JDBC for SAP HANA 0 ~ 6.0.0.000879 -
ProgressDataDirect Connect for JDBC for SAP S/4 HANA 0 ~ 6.0.0.001818 -
ProgressDataDirect Connect for JDBC for Sybase ASE 0 ~ 5.1.4.000161 -
ProgressDataDirect Connect for JDBC for Snowflake 0 ~ 6.0.1.001821 -
ProgressDataDirect Hybrid Data Pipeline Server 0 ~ 4.6.2.3309 -
ProgressDataDirect Hybrid Data Pipeline JDBC Driver 0 ~ 4.6.2.0607 -
ProgressDataDirect Hybrid Data Pipeline On Premises Connector 0 ~ 4.6.2.1223 -
ProgressDataDirect Hybrid Data Pipeline Docker 0 ~ 4.6.2.3316 -
ProgressDataDirect OpenAccess JDBC Driver 0 ~ 8.1.0.0177 -
ProgressDataDirect OpenAccess JDBC Driver 0 ~ 9.0.0.0019 -

II. CVE-2025-10703の公開POC

#POC説明ソースリンクShenlongリンク
AI生成POCプレミアム

公開POCは見つかりませんでした。

ログインしてAI POCを生成

III. CVE-2025-10703のインテリジェンス情報

登录查看更多情报信息。

Same Patch Batch · Progress · 2025-11-19 · 3 CVEs total

CVE-2025-131475.3 MEDIUMExternal Service Interaction (DNS)
CVE-2025-10702Progress多款产品 代码注入漏洞

IV. 関連脆弱性

同じ製品: DataDirect Connect for JDBC for Amazon Redshift
同じベンダー: Progress
同じ弱点: CWE-94

V. CVE-2025-10703へのコメント

まだコメントはありません

コメントを残す