安全研究
安全漏洞
Progress多款产品代码注入漏洞(CVE-2025-10703)
发布日期:2025-11-19
更新日期:2026-01-22
受影响系统:
Progress DataDirect OpenAccess JDBC Driver <= 9.0.0.0019描述:
Progress DataDirect OpenAccess JDBC Driver <= 8.1.0.0177
Progress DataDirect Hybrid Data Pipeline Server <= 4.6.2.3309
Progress DataDirect Hybrid Data Pipeline JDBC Driver <= 4.6.2.0607
Progress DataDirect Connect for JDBC for Amazon Redshift <= 6.0.0.001392
Progress DataDirect Connect for JDBC for Apache Cassandra <= 6.0.0.000805
Progress DataDirect Connect for JDBC for Hive <= 6.0.1.001499
Progress DataDirect Connect for JDBC for Apache Impala <= 6.0.0.001155
Progress DataDirect Connect for JDBC for Apache SparkSQL <= 6.0.1.001222
Progress DataDirect Connect for JDBC Autonomous REST Connec <= 6.0.1.006961
Progress DataDirect Connect for JDBC for DB2 <= 6.0.0.000717
Progress DataDirect Connect for JDBC for Google Analytics 4 <= 6.0.0.000454
Progress DataDirect Connect for JDBC for Google BigQuery <= 6.0.0.002279
Progress DataDirect Connect for JDBC for Greenplum <= 6.0.0.001712
Progress DataDirect Connect for JDBC for Informix <= 6.0.0.000690
Progress DataDirect Connect for JDBC for Microsoft Dynamic <= 6.0.0.003161
Progress DataDirect Connect for JDBC for Microsoft SQLServe <= 6.0.0.001936
Progress DataDirect Connect for JDBC for Microsoft Sharepoi <= 6.0.0.001559
Progress DataDirect Connect for JDBC for MongoDB <= 6.1.0.001654
Progress DataDirect Connect for JDBC for MySQL <= 5.1.4.000330
Progress DataDirect Connect for JDBC for Oracle Database <= 6.0.0.001747
Progress DataDirect Connect for JDBC for Oracle Eloqua <= 6.0.0.001438
Progress DataDirect Connect for JDBC for Oracle Sales Cloud <= 6.0.0.001225
Progress DataDirect Connect for JDBC for Oracle Service Clo <= 5.1.4.000298
Progress DataDirect Connect for JDBC for PostgreSQL <= 6.0.0.001843
Progress DataDirect Connect for JDBC for Progress OpenEdge <= 5.1.4.000187
Progress DataDirect Connect for JDBC for Salesforce <= 6.0.0.003020
Progress DataDirect Connect for JDBC for SAP HANA <= 6.0.0.000879
Progress DataDirect Connect for JDBC for SAP S/4 HANA <= 6.0.1.001818
Progress DataDirect Connect for JDBC for Sybase ASE <= 5.1.4.000161
Progress DataDirect Connect for JDBC for Snowflake <= 6.0.1.001821
Progress DataDirect Hybrid Data Pipeline On Premises Connec <= 4.6.2.1223
Progress DataDirect Hybrid Data Pipeline Docker <= 4.6.2.3316
CVE(CAN) ID: CVE-2025-10703
Progress Hybrid Data Pipeline等都是美国Progress公司的产品,Progress Hybrid Data Pipeline是一个数据管道软件,Progress Hybrid Data Pipeline Server是一个数据管道服务器,Progress DataDirect Connect for JDBC是一套高性能JDBC驱动程序。
Progress多款产品存在代码注入漏洞,该漏洞源于SpyAttribute连接选项的log=(file)结构,允许用户指定任意文件供JDBC驱动程序写入其日志信息,攻击者可利用该漏洞将JavaScript代码写入日志文件,从服务器获取该资源,导致JavaScript代码被执行。
<**>
建议:
厂商补丁:
Progress
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
https://community.progress.com/s/article/Progress-DataDirect-Critical-Security-Product-Alert-Bulletin-November-2025
浏览次数:43
严重程度:0(网友投票)
绿盟科技给您安全的保障