CVE-2025-2842

Name of the Vulnerable Software and Affected Versions Tempo Operator (affected versions not specified)

Description A flaw was found in the Tempo Operator related to the Jaeger UI Monitor Tab functionality. When this functionality is enabled, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance, granting the cluster-monitoring-view ClusterRole. This issue can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace. As a result, the user can read the token of the Tempo service account, gaining access to all cluster metrics.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.