CVE-2025-10703

Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion.<br /> <br /> The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to.  If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file.  If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served.  The attacker could fetch the resource from the server causing the java script to be executed.<br /> <br /> <br /> <br /> <br /> <br /> This issue affects:<br /> <br /> <br /> <br /> DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541<br /> <br /> DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833<br /> <br /> DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628<br /> <br /> DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279<br /> <br /> DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344<br /> <br /> DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063<br /> <br /> DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964<br /> <br /> DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525<br /> <br /> DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410<br /> DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727<br /> DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851<br /> <br /> <br /> DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198<br /> <br /> DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957<br /> <br /> DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587<br /> <br /> DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669<br /> <br /> DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364<br /> <br /> DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776<br /> <br /> DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458<br /> <br /> DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316<br /> <br /> DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309<br /> DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856<br /> <br /> <br /> DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189<br /> <br /> DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125<br /> DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired<br /> <br /> DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858<br /> <br /> DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162<br /> <br /> DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856<br /> <br /> DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430<br /> <br /> DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023<br /> <br /> DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339<br /> DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430<br /> <br /> DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183<br /> <br /> DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022