Code Injection Vulnerability in Progress DataDirect JDBC Drivers
CVE-2025-10702
8.6HIGH
What is CVE-2025-10702?
A vulnerability in Progress DataDirect JDBC drivers allows for remote code inclusion due to improper handling of the SpyAttributes connection option. Attackers could exploit this flaw through an undocumented syntax, leading to the execution of arbitrary classes and constructors. This potentially impacts numerous applications that rely on these JDBC drivers for database connectivity. Users are advised to upgrade their drivers to the latest patched versions to safeguard against such exploits.
Affected Version(s)
DataDirect Connect for JDBC Autonomous REST Connector 0 <= 6.0.1.006961
DataDirect Connect for JDBC for Amazon Redshift 0 <= 6.0.0.001392
DataDirect Connect for JDBC for Apache Cassandra 0 <= 6.0.0.000805
References
CVSS V4
Score:
8.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Brecht Snijders of Triskele Labs