CVE Alert: CVE-2025-2842
Vulnerability Summary: CVE-2025-2842
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has ‘create’ permissions on TempoStack and ‘get’ permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.
Affected Endpoints:
No affected endpoints listed.
Published Date:
4/2/2025, 12:15:14 PM
⚠️ CVSS Score:
Exploit Status:
Not ExploitedEPS Score: 0.00022 | Ranking EPS: 0.03455
References:
- https://access.redhat.com/security/cve/CVE-2025-2842
- https://bugzilla.redhat.com/show_bug.cgi?id=2355219
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
