{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12817", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2025-11-06T17:22:31.286Z", "datePublished": "2025-11-13T13:00:12.160Z", "dateUpdated": "2025-11-13T13:59:54.599Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2025-11-13T13:00:12.160Z"}, "title": "PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege", "descriptions": [{"lang": "en", "value": "Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected."}], "affected": [{"defaultStatus": "unaffected", "product": "PostgreSQL", "vendor": "n/a", "versions": [{"lessThan": "18.1", "status": "affected", "version": "18", "versionType": "rpm"}, {"lessThan": "17.7", "status": "affected", "version": "17", "versionType": "rpm"}, {"lessThan": "16.11", "status": "affected", "version": "16", "versionType": "rpm"}, {"lessThan": "15.15", "status": "affected", "version": "15", "versionType": "rpm"}, {"lessThan": "14.20", "status": "affected", "version": "14", "versionType": "rpm"}, {"lessThan": "13.23", "status": "affected", "version": "0", "versionType": "rpm"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "type": "CWE", "description": "Missing Authorization"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2025-12817/"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.1, "baseSeverity": "LOW"}}], "configurations": [{"lang": "en", "value": "attacker owns a table or has permission to create objects (temporary objects or non-temporary objects in at least one schema)"}], "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem."}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T13:59:49.176346Z", "id": "CVE-2025-12817", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T13:59:54.599Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12817", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-13T13:59:49.176346Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T13:59:51.843Z"}}], "cna": {"title": "PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege", "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"}}], "affected": [{"vendor": "n/a", "product": "PostgreSQL", "versions": [{"status": "affected", "version": "18", "lessThan": "18.1", "versionType": "rpm"}, {"status": "affected", "version": "17", "lessThan": "17.7", "versionType": "rpm"}, {"status": "affected", "version": "16", "lessThan": "16.11", "versionType": "rpm"}, {"status": "affected", "version": "15", "lessThan": "15.15", "versionType": "rpm"}, {"status": "affected", "version": "14", "lessThan": "14.20", "versionType": "rpm"}, {"status": "affected", "version": "0", "lessThan": "13.23", "versionType": "rpm"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2025-12817/"}], "descriptions": [{"lang": "en", "value": "Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "configurations": [{"lang": "en", "value": "attacker owns a table or has permission to create objects (temporary objects or non-temporary objects in at least one schema)"}], "providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2025-11-13T13:00:12.160Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12817", "state": "PUBLISHED", "dateUpdated": "2025-11-13T13:59:54.599Z", "dateReserved": "2025-11-06T17:22:31.286Z", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "datePublished": "2025-11-13T13:00:12.160Z", "assignerShortName": "PostgreSQL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected."}], "id": "CVE-2025-12817", "lastModified": "2025-11-14T16:42:03.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}]}, "published": "2025-11-13T13:15:45.167", "references": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "url": "https://www.postgresql.org/support/security/CVE-2025-12817/"}], "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}]}

{"bugzilla": {"description": "postgresql: CREATE STATISTICS does not check for schema CREATE privilege", "id": "2414825", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2414825"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-862", "details": ["Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "A vulnerability has been identified in PostgreSQL\u2019s CREATE STATISTICS command where the database does not check that the user has the required schema CREATE privilege. A table owner user could create a statistics object in any schema, blocking other users who legitimately hold CREATE STATISTICS permissions from creating objects with the same name. This results in a denial-of-service of the statistics creation functionality."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-12817", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "postgresql16", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "postgresql:12/postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "postgresql:13/postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "postgresql:15/postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "postgresql:16/postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "postgresql:15/postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "postgresql:16/postgresql", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-11-13T13:00:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-12817\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-12817\nhttps://www.postgresql.org/support/security/CVE-2025-12817/"], "statement": "This issue is rated Low severity by Red Hat Product Security, because exploitation is straightforward once an attacker already holds table-owner privileges. The attack complexity is Low, as no unusual conditions, timing requirements, or unpredictable states are needed; a table owner can simply choose any schema name and intentionally create a statistics object with a conflicting name, which is only trivial to perform and does not require prior knowledge beyond selecting an arbitrary identifier. The availability impact remains Low, since only the creation of a specific statistics object is blocked and normal database operations continue without disruption. There is no confidentiality or integrity impact, and the flaw does not allow privilege escalation. For these reasons, despite a Medium-range CVSS score, the overall impact to Red Hat products is considered Low.", "threat_severity": "Low"}