CVE-2025-6504

Опубликовано: 29 июл. 2025

Источник: nvd

CVSS3: 8.4

EPSS Низкий

Описание

In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.

Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.

This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.

Ссылки

https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6504
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:progress:hybrid_data_pipeline:*:*:*:*:*:*:*:*

Версия до 4.6.2.2978 (исключая)

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

EPSS

Процентиль: 1%

0.00011

Низкий

8.4 High

CVSS3

Дефекты

CWE-345

Связанные уязвимости

GHSA-8547-8823-m279