{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T11:22:49.363","vulnerabilities":[{"cve":{"id":"CVE-2025-6504","sourceIdentifier":"security@progress.com","published":"2025-07-29T13:15:28.650","lastModified":"2025-10-02T17:40:57.083","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. \n\nSince XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.\n\n\nThis vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access."},{"lang":"es","value":"En versiones de HDP Server anteriores a la 4.6.2.2978 en Linux, se podía producir acceso no autorizado mediante suplantación de IP mediante el encabezado X-Forwarded-For. Dado que XFF es un encabezado controlado por el cliente, podría suplantarse, permitiendo el acceso no autorizado si la IP suplantada coincidía con un rango permitido. Esta vulnerabilidad podría explotarse para eludir las restricciones de IP, aunque se seguirían necesitando credenciales de usuario válidas para acceder a los recursos."}],"metrics":{"cvssMetricV31":[{"source":"security@progress.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.7,"impactScore":6.0}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-345"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:progress:hybrid_data_pipeline:*:*:*:*:*:*:*:*","versionEndExcluding":"4.6.2.2978","matchCriteriaId":"806425E3-2E1C-412F-AF38-BD522D436EDB"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6504","source":"security@progress.com","tags":["Vendor Advisory"]}]}}]}