Primary

Context

DataDirect Hybrid Data Pipeline IP Spoofing Vulnerability in Whitelisting Feature

Vulnerability

A vulnerability exists in DataDirect Hybrid Data Pipeline (HDP) versions prior to 4.6.2.2978 on Linux, allowing unauthorized access through IP spoofing via the X-Forwarded-For (XFF) header. This client-controlled header can be manipulated to match a whitelisted IP range, bypassing IP restrictions while still requiring valid user credentials for resource access.

Impact

Exploitation of this vulnerability could lead to unauthorized access to protected resources by bypassing IP whitelisting controls, although valid user credentials would still be necessary.

Remediation

Users are advised to upgrade to HDP version 4.6.2.2978 or later. If an immediate upgrade is not possible, it is recommended to enhance firewalls and load balancers to restrict unauthorized incoming traffic. For guidance on network best practices to mitigate IP spoofing, refer to the Progress documentation.

Added: Jul 29, 2025, 1:20 PM

Updated: Jul 29, 2025, 2:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DataDirect Hybrid Data Pipeline IP Spoofing Vulnerability in Whitelisting Feature

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating