CVE-2025-8713
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-15
Assigner: PostgreSQL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| postgresql | postgresql | 13.22 |
| postgresql | postgresql | 16.10 |
| postgresql | postgresql | 14.19 |
| postgresql | postgresql | 17.6 |
| postgresql | postgresql | 15.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1230 | The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in PostgreSQL optimizer statistics allows a user to read sampled data within a view or table that they should not have access to. Specifically, users could bypass view access control lists and row security policies to access statistics data such as histograms and most-common-values lists, which are normally restricted. This happens because the statistics used for query planning can leak information despite previous fixes in earlier CVEs.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive data by allowing users to access sampled statistical data that should be protected by access controls or row security policies. This could potentially expose information about the underlying data distribution and contents, which might be leveraged for further attacks or data inference.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update PostgreSQL to version 17.6, 16.10, 15.14, 14.19, or 13.22 or later, as these versions contain the fix for this issue.