CVE-2025-2842

Summary

A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.

Affected Software

VendorProductVersion RangeStatus
0 < 0.15.3affected
Red HatRed Hat OpenShift distributed tracing 3.5.1sha256:233132300a9f5f019047a414b240f5b32c7563af8107bb52c4395892fdcd0fe0 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.5.1sha256:be2ec2e3d3b21748cfe3b9382f7fc1f6c72d5f380fc97773518c254c6e5794ca < *unaffected

Weaknesses

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Workarounds

Currently, no mitigation is available for this vulnerability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References