CVE-2025-12817Missing Authorization in Postgresql-13

CWE-862Missing Authorization8 documents7 sources
Severity
3.1LOWNVD
EPSS
0.1%
top 83.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Debian Postgresql-13Debian Postgresql-15Debian Postgresql-17+3 more
Timeline
PublishedNov 13
Latest updateDec 3

Description

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 1.6 | Impact: 1.4

Affected Packages6 packages

debiandebian/postgresql-13< postgresql-13 13.23-0+deb11u1 (bullseye)
debiandebian/postgresql-15< postgresql-13 13.23-0+deb11u1 (bullseye)
debiandebian/postgresql-17< postgresql-13 13.23-0+deb11u1 (bullseye)
debiandebian/postgresql-18< postgresql-13 13.23-0+deb11u1 (bullseye)

🔴Vulnerability Details

3
OSV
postgresql-14, postgresql-16, postgresql-17 vulnerabilities2025-12-03
OSV
CVE-2025-12817: Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users2025-11-13
GHSA
GHSA-99qj-9hw7-85x8: Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users2025-11-13

📋Vendor Advisories

4
Ubuntu
PostgreSQL vulnerabilities2025-12-03
Red Hat
postgresql: CREATE STATISTICS does not check for schema CREATE privilege2025-11-13
Microsoft
PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege2025-11-11
Debian
CVE-2025-12817: postgresql-13 - Missing authorization in PostgreSQL CREATE STATISTICS command allows a table own...2025