CVE-2025-12817 - Vulnerability Details - OpenCVE

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.postgresql.org/support/security/CVE-2025-12817/

History

Thu, 13 Nov 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 13 Nov 2025 13:15:00 +0000

Type	Values Removed	Values Added
Description		Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
Title		PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege
Weaknesses		CWE-862
References		https://www.postgresql.org/support/security/CVE-2025-12817/
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published: 2025-11-13T13:00:12.160Z

Updated: 2025-11-13T13:59:54.599Z

Reserved: 2025-11-06T17:22:31.286Z

Link: CVE-2025-12817

Vulnrichment

Updated: 2025-11-13T13:59:51.843Z

NVD

Status : Received

Published: 2025-11-13T13:15:45.167

Modified: 2025-11-13T13:15:45.167

Link: CVE-2025-12817

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12817", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2025-11-06T17:22:31.286Z", "datePublished": "2025-11-13T13:00:12.160Z", "dateUpdated": "2025-11-13T13:59:54.599Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2025-11-13T13:00:12.160Z"}, "title": "PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege", "descriptions": [{"lang": "en", "value": "Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected."}], "affected": [{"defaultStatus": "unaffected", "product": "PostgreSQL", "vendor": "n/a", "versions": [{"lessThan": "18.1", "status": "affected", "version": "18", "versionType": "rpm"}, {"lessThan": "17.7", "status": "affected", "version": "17", "versionType": "rpm"}, {"lessThan": "16.11", "status": "affected", "version": "16", "versionType": "rpm"}, {"lessThan": "15.15", "status": "affected", "version": "15", "versionType": "rpm"}, {"lessThan": "14.20", "status": "affected", "version": "14", "versionType": "rpm"}, {"lessThan": "13.23", "status": "affected", "version": "0", "versionType": "rpm"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "type": "CWE", "description": "Missing Authorization"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2025-12817/"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.1, "baseSeverity": "LOW"}}], "configurations": [{"lang": "en", "value": "attacker owns a table or has permission to create objects (temporary objects or non-temporary objects in at least one schema)"}], "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem."}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T13:59:49.176346Z", "id": "CVE-2025-12817", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T13:59:54.599Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12817", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-13T13:59:49.176346Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T13:59:51.843Z"}}], "cna": {"title": "PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege", "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"}}], "affected": [{"vendor": "n/a", "product": "PostgreSQL", "versions": [{"status": "affected", "version": "18", "lessThan": "18.1", "versionType": "rpm"}, {"status": "affected", "version": "17", "lessThan": "17.7", "versionType": "rpm"}, {"status": "affected", "version": "16", "lessThan": "16.11", "versionType": "rpm"}, {"status": "affected", "version": "15", "lessThan": "15.15", "versionType": "rpm"}, {"status": "affected", "version": "14", "lessThan": "14.20", "versionType": "rpm"}, {"status": "affected", "version": "0", "lessThan": "13.23", "versionType": "rpm"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2025-12817/"}], "descriptions": [{"lang": "en", "value": "Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "configurations": [{"lang": "en", "value": "attacker owns a table or has permission to create objects (temporary objects or non-temporary objects in at least one schema)"}], "providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2025-11-13T13:00:12.160Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12817", "state": "PUBLISHED", "dateUpdated": "2025-11-13T13:59:54.599Z", "dateReserved": "2025-11-06T17:22:31.286Z", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "datePublished": "2025-11-13T13:00:12.160Z", "assignerShortName": "PostgreSQL"}, "dataVersion": "5.2"}