← Volver a CVEs

CVE-2025-2842

MEDIUM

4.3

Descripcion

A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.

Detalles CVE

Puntuacion CVSS v3.14.3

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado4/2/2025

Ultima modificacion3/22/2026

Fuentenvd

Avistamientos honeypot0

Debilidades (CWE)

CWE-200

Referencias

https://access.redhat.com/errata/RHSA-2025:3607(secalert@redhat.com)

https://access.redhat.com/errata/RHSA-2025:3740(secalert@redhat.com)

https://access.redhat.com/security/cve/CVE-2025-2842(secalert@redhat.com)

https://bugzilla.redhat.com/show_bug.cgi?id=2355219(secalert@redhat.com)

https://github.com/grafana/tempo-operator/pull/1144(secalert@redhat.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.