CVE-2025-14038

Name of the Vulnerable Software and Affected Versions EDB Hybrid Manager versions prior to 1.3.3 EDB Hybrid Manager - Innovation versions prior to 2025.12 EDB Hybrid Manager - LTS versions prior to 1.3.3

Description EDB Hybrid Manager has a flaw that allows an unauthenticated attacker to access certain gRPC endpoints directly. This access could allow an attacker to read sensitive data or potentially cause a denial-of-service by sending malformed data to these endpoints. The issue stems from a misconfiguration in the Istio Gateway, which manages authentication and authorization for the affected endpoints. The security policy relies on explicitly defined permissions in the Istio Gateway configuration, but the affected endpoints were not defined, allowing requests to bypass authentication and authorization. The vulnerable endpoints are gRPC endpoints, and access to them does not require authentication.

Recommendations EDB Hybrid Manager versions prior to 1.3.3 should be upgraded to version 1.3.3. EDB Hybrid Manager - Innovation versions prior to 2025.12 should be upgraded to version 2025.12. EDB Hybrid Manager - LTS versions prior to 1.3.3 should be upgraded to version 1.3.3.