Описание
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
A vulnerability has been identified in PostgreSQL’s CREATE STATISTICS command where the database does not check that the user has the required schema CREATE privilege. A table owner user could create a statistics object in any schema, blocking other users who legitimately hold CREATE STATISTICS permissions from creating objects with the same name. This results in a denial-of-service of the statistics creation functionality.
Отчет
This issue is rated Low severity by Red Hat Product Security, because exploitation is straightforward once an attacker already holds table-owner privileges. The attack complexity is Low, as no unusual conditions, timing requirements, or unpredictable states are needed; a table owner can simply choose any schema name and intentionally create a statistics object with a conflicting name, which is only trivial to perform and does not require prior knowledge beyond selecting an arbitrary identifier. The availability impact remains Low, since only the creation of a specific statistics object is blocked and normal database operations continue without disruption. There is no confidentiality or integrity impact, and the flaw does not allow privilege escalation. For these reasons, despite a Medium-range CVSS score, the overall impact to Red Hat products is considered Low.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | postgresql16 | Affected | ||
| Red Hat Enterprise Linux 6 | postgresql | Out of support scope | ||
| Red Hat Enterprise Linux 7 | postgresql | Out of support scope | ||
| Red Hat Enterprise Linux 8 | postgresql:12/postgresql | Out of support scope | ||
| Red Hat Enterprise Linux 10.0 Extended Update Support | postgresql16 | Fixed | RHSA-2026:0456 | 12.01.2026 |
| Red Hat Enterprise Linux 8 | postgresql | Fixed | RHSA-2026:0519 | 13.01.2026 |
| Red Hat Enterprise Linux 8 | postgresql | Fixed | RHSA-2026:0523 | 13.01.2026 |
| Red Hat Enterprise Linux 8 | postgresql | Fixed | RHSA-2026:0524 | 13.01.2026 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | postgresql | Fixed | RHSA-2026:0265 | 08.01.2026 |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | postgresql | Fixed | RHSA-2026:0265 | 08.01.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.3 Medium
CVSS3
Связанные уязвимости
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege
Missing authorization in PostgreSQL CREATE STATISTICS command allows a ...
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
EPSS
4.3 Medium
CVSS3