CVE-2025-10703: CWE-94 Improper Control of Generation of Code ('Code Injection') in Progress DataDirect Connect for JDBC for Amazon Redshift
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to. If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file. If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served. The attacker could fetch the resource from the server causing the java script to be executed. This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022
AI Analysis
Technical Summary
CVE-2025-10703 is a CWE-94 Improper Control of Generation of Code vulnerability impacting Progress DataDirect Connect for JDBC drivers, including those for Amazon Redshift, Apache Cassandra, Hive, Impala, SparkSQL, and many others. The vulnerability stems from the SpyAttribute connection option's log=(file) parameter, which allows specifying an arbitrary file path for logging. If an application permits end users to set this option, an attacker can inject JavaScript code into the log file. When the log file is placed in a web-accessible directory with an executable extension, the application server may serve this file as a resource, causing the injected JavaScript to execute in the context of the server or client browsers. This leads to remote code execution or cross-site scripting attacks depending on the environment. The vulnerability affects numerous versions of DataDirect Connect for JDBC drivers up to specific fixed versions, with patches available in later releases. The attack vector requires no authentication or user interaction but does require the ability to influence the SpyAttributes connection option, which may be possible in multi-tenant or poorly secured environments. The vulnerability's CVSS 4.0 score is 8.6 (high), reflecting its network attack vector, low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the broad product impact and ease of exploitation make it a critical concern for organizations relying on these drivers for database connectivity and data integration.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of data accessed via affected JDBC drivers. Organizations using Progress DataDirect Connect for JDBC drivers in data analytics, business intelligence, or integration platforms that connect to databases like Amazon Redshift, Oracle, Microsoft SQL Server, PostgreSQL, and others could face remote code execution attacks. This could lead to unauthorized data access, data manipulation, or service disruption. Public-facing application servers that serve log files or resources from directories writable by the JDBC driver are particularly vulnerable, increasing the risk of widespread compromise. Additionally, organizations in regulated sectors such as finance, healthcare, and critical infrastructure in Europe could face compliance violations and reputational damage if exploited. The vulnerability's broad impact across many database platforms and the common use of these drivers in enterprise environments amplify the potential damage.
Mitigation Recommendations
1. Immediately upgrade all affected Progress DataDirect Connect for JDBC drivers and Hybrid Data Pipeline components to the fixed versions provided by the vendor. 2. Restrict or disable the ability for end users or untrusted sources to specify or influence the SpyAttributes connection option, especially the log=(file) parameter. 3. Configure application servers and web servers to prevent serving log files or any files generated by the JDBC drivers as web resources. 4. Implement strict file system permissions to ensure that log files are stored in non-web-accessible directories. 5. Monitor logs and network traffic for unusual access patterns or attempts to retrieve log files with executable extensions. 6. Conduct code reviews and penetration testing focusing on injection vectors related to logging and connection options. 7. Employ web application firewalls (WAFs) to detect and block attempts to exploit this vulnerability. 8. Educate developers and administrators about the risks of allowing user-controlled logging parameters and enforce secure coding practices.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Switzerland
CVE-2025-10703: CWE-94 Improper Control of Generation of Code ('Code Injection') in Progress DataDirect Connect for JDBC for Amazon Redshift
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to. If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file. If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served. The attacker could fetch the resource from the server causing the java script to be executed. This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022
AI-Powered Analysis
Technical Analysis
CVE-2025-10703 is a CWE-94 Improper Control of Generation of Code vulnerability impacting Progress DataDirect Connect for JDBC drivers, including those for Amazon Redshift, Apache Cassandra, Hive, Impala, SparkSQL, and many others. The vulnerability stems from the SpyAttribute connection option's log=(file) parameter, which allows specifying an arbitrary file path for logging. If an application permits end users to set this option, an attacker can inject JavaScript code into the log file. When the log file is placed in a web-accessible directory with an executable extension, the application server may serve this file as a resource, causing the injected JavaScript to execute in the context of the server or client browsers. This leads to remote code execution or cross-site scripting attacks depending on the environment. The vulnerability affects numerous versions of DataDirect Connect for JDBC drivers up to specific fixed versions, with patches available in later releases. The attack vector requires no authentication or user interaction but does require the ability to influence the SpyAttributes connection option, which may be possible in multi-tenant or poorly secured environments. The vulnerability's CVSS 4.0 score is 8.6 (high), reflecting its network attack vector, low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the broad product impact and ease of exploitation make it a critical concern for organizations relying on these drivers for database connectivity and data integration.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of data accessed via affected JDBC drivers. Organizations using Progress DataDirect Connect for JDBC drivers in data analytics, business intelligence, or integration platforms that connect to databases like Amazon Redshift, Oracle, Microsoft SQL Server, PostgreSQL, and others could face remote code execution attacks. This could lead to unauthorized data access, data manipulation, or service disruption. Public-facing application servers that serve log files or resources from directories writable by the JDBC driver are particularly vulnerable, increasing the risk of widespread compromise. Additionally, organizations in regulated sectors such as finance, healthcare, and critical infrastructure in Europe could face compliance violations and reputational damage if exploited. The vulnerability's broad impact across many database platforms and the common use of these drivers in enterprise environments amplify the potential damage.
Mitigation Recommendations
1. Immediately upgrade all affected Progress DataDirect Connect for JDBC drivers and Hybrid Data Pipeline components to the fixed versions provided by the vendor. 2. Restrict or disable the ability for end users or untrusted sources to specify or influence the SpyAttributes connection option, especially the log=(file) parameter. 3. Configure application servers and web servers to prevent serving log files or any files generated by the JDBC drivers as web resources. 4. Implement strict file system permissions to ensure that log files are stored in non-web-accessible directories. 5. Monitor logs and network traffic for unusual access patterns or attempts to retrieve log files with executable extensions. 6. Conduct code reviews and penetration testing focusing on injection vectors related to logging and connection options. 7. Employ web application firewalls (WAFs) to detect and block attempts to exploit this vulnerability. 8. Educate developers and administrators about the risks of allowing user-controlled logging parameters and enforce secure coding practices.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ProgressSoftware
- Date Reserved
- 2025-09-18T19:40:28.783Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 691de8ff964c14ffeea99620
Added to database: 11/19/2025, 3:57:51 PM
Last enriched: 11/26/2025, 5:09:47 PM
Last updated: 1/7/2026, 8:55:28 AM
Views: 57
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-15158: CWE-434 Unrestricted Upload of File with Dangerous Type in eastsidecode WP Enable WebP
HighCVE-2025-15018: CWE-639 Authorization Bypass Through User-Controlled Key in djanym Optional Email
CriticalCVE-2025-15000: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tfrommen Page Keys
MediumCVE-2025-14999: CWE-352 Cross-Site Request Forgery (CSRF) in kentothemes Latest Tabs
MediumCVE-2025-13531: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in hayyatapps Stylish Order Form Builder
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.