Description

A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.

INFO

Published Date :

2025-04-02T11:09:55.496Z

Last Modified :

2026-03-22T03:43:57.833Z

Source :

redhat
AFFECTED PRODUCTS

The following products are affected by CVE-2025-2842 vulnerability.

Vendors Products
Redhat
  • Openshift Distributed Tracing
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-2842.

URL Resource
https://access.redhat.com/errata/RHSA-2025:3607 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:3740 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2025-2842 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2355219 cve-icon cve-icon
https://github.com/grafana/tempo-operator/pull/1144 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-2842 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-2842 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact