exploitDog

CVE-2025-6505

Опубликовано: 29 июл. 2025

Источник: nvd

CVSS3: 8.1

EPSS Низкий

Описание

Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.

Ссылки

https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6505
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:progress:hybrid_data_pipeline:*:*:*:*:*:*:*:*

Версия до 4.6.2.3275 (исключая)

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

EPSS

Процентиль: 8%

0.0003

Низкий

8.1 High

CVSS3

Дефекты

CWE-287

Связанные уязвимости

GHSA-27cj-57m4-xhm9

CVSS3: 8.1

github

6 месяцев назад

Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.

EPSS

Процентиль: 8%

0.0003

Низкий

8.1 High

CVSS3

Дефекты

CWE-287