{"id":"BIT-postgresql-2025-12817","summary":"PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege","details":"Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema.  A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail.  Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.","aliases":["CVE-2025-12817"],"modified":"2025-11-21T09:27:44.154213Z","published":"2025-11-21T08:47:36.690Z","database_specific":{"cpes":["cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*"],"severity":"Low"},"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12817"},{"type":"WEB","url":"https://www.postgresql.org/support/security/CVE-2025-12817/"}],"affected":[{"package":{"name":"postgresql","ecosystem":"Bitnami","purl":"pkg:bitnami/postgresql"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"13.23.0"},{"introduced":"14.0.0"},{"fixed":"14.20.0"},{"introduced":"15.0.0"},{"fixed":"15.15.0"},{"introduced":"16.0.0"},{"fixed":"16.11.0"},{"introduced":"17.0.0"},{"fixed":"17.7.0"},{"introduced":"18.0.0"},{"fixed":"18.1.0"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/postgresql/BIT-postgresql-2025-12817.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"}]}],"schema_version":"1.7.3"}