Search criteria
4 vulnerabilities found for Hybrid Data Pipeline by Progress Software
CVE-2025-6505 (GCVE-0-2025-6505)
Vulnerability from cvelistv5 – Published: 2025-07-29 12:56 – Updated: 2025-07-29 13:25
VLAI?
Summary
Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.
When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.
Severity ?
8.1 (High)
CWE
- Unauthorized Access and Impersonation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | Hybrid Data Pipeline |
Affected:
0 , ≤ 4.6.2.3226
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-29T13:25:08.766953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T13:25:19.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"OAuth"
],
"packageName": "Server",
"platforms": [
"Linux"
],
"product": "Hybrid Data Pipeline",
"vendor": "Progress Software",
"versions": [
{
"lessThanOrEqual": "4.6.2.3226",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUnauthorized access and impersonation can occur in versions\u0026nbsp;4.6.2.3226\u0026nbsp;and below of Progress Software\u0027s Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.\u003c/span\u003e\n\u0026nbsp;When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters."
}
],
"value": "Unauthorized access and impersonation can occur in versions\u00a04.6.2.3226\u00a0and below of Progress Software\u0027s Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.\n\u00a0When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "mix credentials from different sources, potentially impersonating clients and gaining unauthorized access."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unauthorized Access and Impersonation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T12:56:57.219Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6505"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to\u0026nbsp;Hybrid Data Pipeline\u0026nbsp;version 4.6.2.3275 or later."
}
],
"value": "Upgrade to\u00a0Hybrid Data Pipeline\u00a0version 4.6.2.3275 or later."
}
],
"source": {
"defect": [
"HDP-12382"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-6505",
"datePublished": "2025-07-29T12:56:57.219Z",
"dateReserved": "2025-06-23T02:43:50.777Z",
"dateUpdated": "2025-07-29T13:25:19.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6504 (GCVE-0-2025-6504)
Vulnerability from cvelistv5 – Published: 2025-07-29 12:56 – Updated: 2025-07-29 13:27
VLAI?
Summary
In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.
Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.
This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.
Severity ?
8.4 (High)
CWE
- Unauthorized Access to Sensitive resources
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | Hybrid Data Pipeline |
Affected:
0 , < 4.6.2.2978
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-29T13:26:59.758939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T13:27:02.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"IP White Listing"
],
"packageName": "HDP Server",
"platforms": [
"Linux"
],
"product": "Hybrid Data Pipeline",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "4.6.2.2978",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.\u0026nbsp;\n\nSince XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.\n\n\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.\u00a0\n\nSince XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.\n\n\nThis vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Attackers may bypass IP whitelisting to access restricted resources or UI interface."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unauthorized Access to Sensitive resources",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T12:56:28.054Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6504"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate the HDP Server to version 4.6.2.2978 or later.\u003c/span\u003e"
}
],
"value": "Update the HDP Server to version 4.6.2.2978 or later."
}
],
"source": {
"defect": [
"HDP-10769"
],
"discovery": "INTERNAL"
},
"title": "Possibilities of IP Spoofing via X-Forwarded-For (XFF) Header",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-6504",
"datePublished": "2025-07-29T12:56:28.054Z",
"dateReserved": "2025-06-23T02:43:49.210Z",
"dateUpdated": "2025-07-29T13:27:02.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6505 (GCVE-0-2025-6505)
Vulnerability from nvd – Published: 2025-07-29 12:56 – Updated: 2025-07-29 13:25
VLAI?
Summary
Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.
When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.
Severity ?
8.1 (High)
CWE
- Unauthorized Access and Impersonation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | Hybrid Data Pipeline |
Affected:
0 , ≤ 4.6.2.3226
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-29T13:25:08.766953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T13:25:19.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"OAuth"
],
"packageName": "Server",
"platforms": [
"Linux"
],
"product": "Hybrid Data Pipeline",
"vendor": "Progress Software",
"versions": [
{
"lessThanOrEqual": "4.6.2.3226",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUnauthorized access and impersonation can occur in versions\u0026nbsp;4.6.2.3226\u0026nbsp;and below of Progress Software\u0027s Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.\u003c/span\u003e\n\u0026nbsp;When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters."
}
],
"value": "Unauthorized access and impersonation can occur in versions\u00a04.6.2.3226\u00a0and below of Progress Software\u0027s Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.\n\u00a0When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "mix credentials from different sources, potentially impersonating clients and gaining unauthorized access."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unauthorized Access and Impersonation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T12:56:57.219Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6505"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to\u0026nbsp;Hybrid Data Pipeline\u0026nbsp;version 4.6.2.3275 or later."
}
],
"value": "Upgrade to\u00a0Hybrid Data Pipeline\u00a0version 4.6.2.3275 or later."
}
],
"source": {
"defect": [
"HDP-12382"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-6505",
"datePublished": "2025-07-29T12:56:57.219Z",
"dateReserved": "2025-06-23T02:43:50.777Z",
"dateUpdated": "2025-07-29T13:25:19.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6504 (GCVE-0-2025-6504)
Vulnerability from nvd – Published: 2025-07-29 12:56 – Updated: 2025-07-29 13:27
VLAI?
Summary
In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.
Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.
This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.
Severity ?
8.4 (High)
CWE
- Unauthorized Access to Sensitive resources
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | Hybrid Data Pipeline |
Affected:
0 , < 4.6.2.2978
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-29T13:26:59.758939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T13:27:02.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"IP White Listing"
],
"packageName": "HDP Server",
"platforms": [
"Linux"
],
"product": "Hybrid Data Pipeline",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "4.6.2.2978",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.\u0026nbsp;\n\nSince XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.\n\n\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.\u00a0\n\nSince XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.\n\n\nThis vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Attackers may bypass IP whitelisting to access restricted resources or UI interface."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unauthorized Access to Sensitive resources",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T12:56:28.054Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6504"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate the HDP Server to version 4.6.2.2978 or later.\u003c/span\u003e"
}
],
"value": "Update the HDP Server to version 4.6.2.2978 or later."
}
],
"source": {
"defect": [
"HDP-10769"
],
"discovery": "INTERNAL"
},
"title": "Possibilities of IP Spoofing via X-Forwarded-For (XFF) Header",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-6504",
"datePublished": "2025-07-29T12:56:28.054Z",
"dateReserved": "2025-06-23T02:43:49.210Z",
"dateUpdated": "2025-07-29T13:27:02.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}