2355219 – (CVE-2025-2842) CVE-2025-2842 tempo-operator: Tempo Operator Token Exposition lead to read sensitive data

Bug 2355219 (CVE-2025-2842) - CVE-2025-2842 tempo-operator: Tempo Operator Token Exposition lead to read sensitive data

Summary: CVE-2025-2842 tempo-operator: Tempo Operator Token Exposition lead to read se...

Keywords:
Status:	NEW
Alias:	CVE-2025-2842
Deadline:	2025-04-04
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-27 02:39 UTC by OSIDB Bzimport
Modified:	2025-04-07 06:24 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-27 02:39:27 UTC

When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole.

This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.

Note You need to log in before you can comment on or make changes to this bug.