2354811 – (CVE-2025-2786) CVE-2025-2786 tempo-operator: ServiceAccount Token Exposure Leading to Token and Subject Access Reviews in OpenShift Tempo Operator

Bug 2354811 (CVE-2025-2786) - CVE-2025-2786 tempo-operator: ServiceAccount Token Exposure Leading to Token and Subject Access Reviews in OpenShift Tempo Operator

Summary: CVE-2025-2786 tempo-operator: ServiceAccount Token Exposure Leading to Token ...

Keywords:
Status:	NEW
Alias:	CVE-2025-2786
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-25 11:32 UTC by OSIDB Bzimport
Modified:	2025-04-07 06:25 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-25 11:32:14 UTC

The Tempo Operator in OpenShift Distributed Tracing creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This design allows any user with full access to their namespace to retrieve the associated ServiceAccount token and utilize it to make privileged API calls to:

Validate bearer tokens using the TokenReview API.

Check user permissions using the SubjectAccessReview API.

Note You need to log in before you can comment on or make changes to this bug.