Fedora Account System
Red Hat Associate
Red Hat Customer
A flaw was found in the Tempo Operator's gateway component used by Red Hat OpenShift distributed tracing platform to enforce per-namespace access control on trace queries; when query RBAC is enabled, an authorization logic error caused some query API code paths to skip the expected redaction, allowing a user authorized for at least one namespace's traces to retrieve span attributes from namespaces they are not authorized to access. The highest threat is to confidentiality of tracing data; there is no impact to integrity, availability, or broader cluster privileges, and deployments that do not enable query RBAC are not affected by this specific bypass.
CVSS Justification: AV:N (Network) — The Tempo query API/gateway is reachable over the network (e.g., via a route/service), so no local access to a node or pod is needed. AC:L (Low) — Exploitation just requires sending a normal query request to the affected endpoints; no special conditions or timing are involved. PR:L (Low) — Attacker needs to be an authenticated user with access to at least one namespace's traces, not elevated/admin privileges. UI:N (None) — No action from another user or admin is required to trigger the unredacted response. S:U (Unchanged) — The bypass stays within the same security authority (the tracing platform's own authorization layer); it doesn't escalate into a different component or host boundary. C:H (High) — An attacker can read span attributes from namespaces they aren't authorized for, with no restriction on which namespaces' data is exposed. I:N (None) — The flaw only discloses data; it doesn't allow modifying trace data, configuration, or anything else. A:N (None) — There's no impact on availability of the tracing service or any other component.