← Back to CVE List

CVE-2025-2842

Published: 2025-04-02T12:15Z
Last Modified: 2025-04-09T21:16Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt