Описание
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| postgresql-18 | fixed | 18.1-1 | package | |
| postgresql-17 | removed | package | ||
| postgresql-17 | fixed | 17.7-0+deb13u1 | trixie | package |
| postgresql-15 | removed | package | ||
| postgresql-15 | fixed | 15.15-0+deb12u1 | bookworm | package |
| postgresql-13 | removed | package |
Примечания
https://www.postgresql.org/about/news/postgresql-181-177-1611-1515-1420-and-1323-released-3171/
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=5e4fcbe531c668b4112beedde97aac79724074c5 (master)
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=00eb646ea43410e5df77fed96f4a981e66811796 (REL_18_1)
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=e2fb3dfa817fbe89494a62c100e9cb442f4d6b15 (REL_17_7)
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2393d374ae9c0bc8327adc80fe4490edb05be167 (REL_15_15)
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=8a2530ebcdef1aafa08ad1d019aec298dcebb952 (REL_13_23)
EPSS
Связанные уязвимости
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
Уязвимость функции CREATE STATISTICS системы управления базами данных PostgreSQL, позволяющая нарушителю вызвать отказ в обслуживании
EPSS