CVE-2025-2842: Grafana Tempo Operator Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
(updated )
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has ‘create’ permissions on TempoStack and ‘get’ permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.
References
- access.redhat.com/errata/RHSA-2025:3607
- access.redhat.com/errata/RHSA-2025:3740
- access.redhat.com/security/cve/CVE-2025-2842
- bugzilla.redhat.com/show_bug.cgi?id=2355219
- github.com/advisories/GHSA-5xf3-gmx4-529v
- github.com/grafana/tempo-operator/blob/8d1c7f13cb0f8db490144b04665b1fd6a2d56307/CHANGELOG.md?plain=1
- github.com/grafana/tempo-operator/commit/60b538c45f76755262e211d8df0e601a716308c7
- github.com/grafana/tempo-operator/pull/1144
- nvd.nist.gov/vuln/detail/CVE-2025-2842
Code Behaviors & Features
Detect and mitigate CVE-2025-2842 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →