CVE-2025-2842
Published: Apr 2, 2025
Modified: Mar 22, 2026
CVSS v3.1
4.3
Description
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.
| Vendor | Product | Versions |
|---|---|---|
Unknown | tempo-operator | affected 0 - < 0.15.3 |
Red Hat | Red Hat OpenShift distributed tracing 3.5.1 | unaffected sha256:233132300a9f5f019047a414b240f5b32c7563af8107bb52c4395892fdcd0fe0 - < * |
Red Hat | Red Hat OpenShift distributed tracing 3.5.1 | unaffected sha256:be2ec2e3d3b21748cfe3b9382f7fc1f6c72d5f380fc97773518c254c6e5794ca - < * |
Red Hat | Red Hat OpenShift distributed tracing 3 | All versions |
Red Hat | Red Hat OpenShift distributed tracing 3 | All versions |
Red Hat | Red Hat OpenShift distributed tracing 3 | All versions |
Red Hat | Red Hat OpenShift distributed tracing 3 | All versions |
Red Hat | Red Hat OpenShift distributed tracing 3 | All versions |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now