CVE-2025-10703: CWE-94 Improper Control of Generation of Code ('Code Injection') in Progress DataDirect Connect for JDBC for Amazon Redshift
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to. If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file. If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served. The attacker could fetch the resource from the server causing the java script to be executed. This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022
AI Analysis
Technical Summary
CVE-2025-10703 is a CWE-94 Improper Control of Generation of Code vulnerability found in Progress DataDirect Connect for JDBC drivers, including those for Amazon Redshift, Apache Cassandra, Hive, and many others. The root cause is the SpyAttribute connection option, which allows specifying a log file path where the JDBC driver writes its log information. If an application permits end users to control this option, an attacker can inject arbitrary JavaScript code into the log file. When the log file is placed in a location and with an extension that the application server treats as a web resource, the malicious script can be served to clients and executed in their browsers. This effectively enables remote code execution via log poisoning and subsequent script execution. The vulnerability affects a wide range of DataDirect JDBC drivers and related products, with fixes released in versions following those listed as vulnerable. The CVSS 4.0 score is 8.6 (high), reflecting network attack vector, low attack complexity, no user interaction, and significant impacts on confidentiality, integrity, and availability. Exploitation does not require authentication but does require the ability to influence the SpyAttributes connection option, which may be exposed in some application configurations. No known exploits are currently reported in the wild, but the broad product impact and ease of exploitation make this a critical issue to address.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the widespread use of Progress DataDirect JDBC drivers in enterprise data integration, analytics, and middleware solutions. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary scripts in the context of the application server. This can result in data theft, unauthorized access, system compromise, and disruption of critical business processes. Given the variety of affected database platforms (including Amazon Redshift, Oracle, Microsoft SQL Server, PostgreSQL, and others), organizations across sectors such as finance, healthcare, manufacturing, and government could be impacted. The ability to inject code remotely without authentication increases the threat level, especially in environments where user input is not properly sanitized or where SpyAttributes options are exposed. The vulnerability could also be leveraged as a foothold for lateral movement within networks or to deploy ransomware or other malware. The impact on confidentiality, integrity, and availability is high, potentially leading to regulatory non-compliance and reputational damage.
Mitigation Recommendations
European organizations should immediately identify any use of Progress DataDirect Connect for JDBC drivers and related products in their environments. They must verify the versions in use and upgrade to the fixed versions as listed by the vendor to eliminate the vulnerability. Where upgrading is not immediately possible, organizations should audit application configurations to ensure that the SpyAttributes connection option cannot be influenced by untrusted users or external inputs. Implement strict input validation and sanitization controls around any user-controllable parameters related to JDBC connection options. Additionally, restrict access to log file directories and ensure that log files are not served as web resources by application servers. Employ web application firewalls (WAFs) to detect and block suspicious requests attempting to exploit this vulnerability. Regularly monitor logs for unusual activity indicative of attempted exploitation. Finally, conduct security awareness training for developers and administrators about secure configuration of JDBC drivers and the risks of code injection via logging mechanisms.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
CVE-2025-10703: CWE-94 Improper Control of Generation of Code ('Code Injection') in Progress DataDirect Connect for JDBC for Amazon Redshift
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to. If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file. If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served. The attacker could fetch the resource from the server causing the java script to be executed. This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022
AI-Powered Analysis
Technical Analysis
CVE-2025-10703 is a CWE-94 Improper Control of Generation of Code vulnerability found in Progress DataDirect Connect for JDBC drivers, including those for Amazon Redshift, Apache Cassandra, Hive, and many others. The root cause is the SpyAttribute connection option, which allows specifying a log file path where the JDBC driver writes its log information. If an application permits end users to control this option, an attacker can inject arbitrary JavaScript code into the log file. When the log file is placed in a location and with an extension that the application server treats as a web resource, the malicious script can be served to clients and executed in their browsers. This effectively enables remote code execution via log poisoning and subsequent script execution. The vulnerability affects a wide range of DataDirect JDBC drivers and related products, with fixes released in versions following those listed as vulnerable. The CVSS 4.0 score is 8.6 (high), reflecting network attack vector, low attack complexity, no user interaction, and significant impacts on confidentiality, integrity, and availability. Exploitation does not require authentication but does require the ability to influence the SpyAttributes connection option, which may be exposed in some application configurations. No known exploits are currently reported in the wild, but the broad product impact and ease of exploitation make this a critical issue to address.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the widespread use of Progress DataDirect JDBC drivers in enterprise data integration, analytics, and middleware solutions. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary scripts in the context of the application server. This can result in data theft, unauthorized access, system compromise, and disruption of critical business processes. Given the variety of affected database platforms (including Amazon Redshift, Oracle, Microsoft SQL Server, PostgreSQL, and others), organizations across sectors such as finance, healthcare, manufacturing, and government could be impacted. The ability to inject code remotely without authentication increases the threat level, especially in environments where user input is not properly sanitized or where SpyAttributes options are exposed. The vulnerability could also be leveraged as a foothold for lateral movement within networks or to deploy ransomware or other malware. The impact on confidentiality, integrity, and availability is high, potentially leading to regulatory non-compliance and reputational damage.
Mitigation Recommendations
European organizations should immediately identify any use of Progress DataDirect Connect for JDBC drivers and related products in their environments. They must verify the versions in use and upgrade to the fixed versions as listed by the vendor to eliminate the vulnerability. Where upgrading is not immediately possible, organizations should audit application configurations to ensure that the SpyAttributes connection option cannot be influenced by untrusted users or external inputs. Implement strict input validation and sanitization controls around any user-controllable parameters related to JDBC connection options. Additionally, restrict access to log file directories and ensure that log files are not served as web resources by application servers. Employ web application firewalls (WAFs) to detect and block suspicious requests attempting to exploit this vulnerability. Regularly monitor logs for unusual activity indicative of attempted exploitation. Finally, conduct security awareness training for developers and administrators about secure configuration of JDBC drivers and the risks of code injection via logging mechanisms.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ProgressSoftware
- Date Reserved
- 2025-09-18T19:40:28.783Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 691de8ff964c14ffeea99620
Added to database: 11/19/2025, 3:57:51 PM
Last enriched: 11/19/2025, 4:12:26 PM
Last updated: 11/22/2025, 12:23:59 PM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-13526: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in walterpinem OneClick Chat to Order
HighCVE-2025-13318: CWE-862 Missing Authorization in codepeople Booking Calendar Contact Form
MediumCVE-2025-13136: CWE-862 Missing Authorization in westerndeal GSheetConnector For Ninja Forms
MediumCVE-2025-13384: CWE-862 Missing Authorization in codepeople CP Contact Form with PayPal
HighCVE-2025-13317: CWE-862 Missing Authorization in codepeople Appointment Booking Calendar
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.