CVE-2025-2842: Exposure of Sensitive Information to an Unauthorized Actor
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.
AI Analysis
Technical Summary
CVE-2025-2842 is a medium-severity vulnerability affecting the Tempo Operator, a Kubernetes operator used to manage Tempo instances for distributed tracing. The flaw arises when the Jaeger UI Monitor Tab functionality is enabled within a Tempo instance managed by the Tempo Operator. In this configuration, the Operator creates a ClusterRoleBinding that assigns the cluster-monitoring-view ClusterRole to the Service Account of the Tempo instance. This role grants read access to cluster metrics. The vulnerability can be exploited if an attacker has 'create' permissions on TempoStack resources and 'get' permissions on Kubernetes Secrets within a namespace, which is plausible if the attacker holds ClusterAdmin permissions scoped to that namespace. By leveraging these permissions, the attacker can read the token associated with the Tempo service account. Possession of this token allows the attacker to impersonate the Tempo service account and access all cluster metrics, potentially exposing sensitive operational data. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and results in limited confidentiality impact without affecting integrity or availability. No known exploits are reported in the wild as of the publication date. The vulnerability highlights a privilege escalation path through misconfigured role bindings and excessive permissions granted by the Tempo Operator when enabling the Jaeger UI Monitor Tab feature.
Potential Impact
For European organizations running Kubernetes clusters with Tempo Operator-managed Tempo instances, this vulnerability could lead to unauthorized disclosure of cluster metrics and monitoring data. While the direct impact on confidentiality is limited to metrics data, such information can be leveraged by attackers for reconnaissance, facilitating further attacks such as lateral movement or targeted exploitation of cluster components. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, critical infrastructure) may face compliance risks if sensitive operational data is exposed. Additionally, attackers gaining insights into cluster performance and configuration could identify weaknesses or sensitive workloads. The impact is particularly relevant for multi-tenant or shared Kubernetes environments common in European cloud deployments, where namespace-level permissions are delegated. The vulnerability does not directly affect data integrity or availability but can be a stepping stone in a broader attack chain.
Mitigation Recommendations
To mitigate CVE-2025-2842, European organizations should: 1) Review and restrict permissions granted to users and service accounts, especially limiting 'create' permissions on TempoStack resources and 'get' permissions on Secrets within namespaces. Avoid granting ClusterAdmin or equivalent privileges scoped to namespaces unless strictly necessary. 2) Disable the Jaeger UI Monitor Tab functionality in Tempo instances unless explicitly required, as this feature triggers the creation of the risky ClusterRoleBinding. 3) Audit existing ClusterRoleBindings and Service Account tokens associated with Tempo Operator-managed resources to detect and remove any excessive privileges. 4) Implement Kubernetes RBAC best practices, including the principle of least privilege and regular permission reviews. 5) Monitor audit logs for unusual access patterns to Secrets or Tempo service account tokens. 6) Stay updated with Tempo Operator releases and apply patches or configuration changes addressing this vulnerability once available. 7) Consider network segmentation and use of Kubernetes Network Policies to limit access to monitoring endpoints and service accounts. These steps go beyond generic advice by focusing on the specific permission sets and features implicated in this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark
CVE-2025-2842: Exposure of Sensitive Information to an Unauthorized Actor
Description
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.
AI-Powered Analysis
Technical Analysis
CVE-2025-2842 is a medium-severity vulnerability affecting the Tempo Operator, a Kubernetes operator used to manage Tempo instances for distributed tracing. The flaw arises when the Jaeger UI Monitor Tab functionality is enabled within a Tempo instance managed by the Tempo Operator. In this configuration, the Operator creates a ClusterRoleBinding that assigns the cluster-monitoring-view ClusterRole to the Service Account of the Tempo instance. This role grants read access to cluster metrics. The vulnerability can be exploited if an attacker has 'create' permissions on TempoStack resources and 'get' permissions on Kubernetes Secrets within a namespace, which is plausible if the attacker holds ClusterAdmin permissions scoped to that namespace. By leveraging these permissions, the attacker can read the token associated with the Tempo service account. Possession of this token allows the attacker to impersonate the Tempo service account and access all cluster metrics, potentially exposing sensitive operational data. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and results in limited confidentiality impact without affecting integrity or availability. No known exploits are reported in the wild as of the publication date. The vulnerability highlights a privilege escalation path through misconfigured role bindings and excessive permissions granted by the Tempo Operator when enabling the Jaeger UI Monitor Tab feature.
Potential Impact
For European organizations running Kubernetes clusters with Tempo Operator-managed Tempo instances, this vulnerability could lead to unauthorized disclosure of cluster metrics and monitoring data. While the direct impact on confidentiality is limited to metrics data, such information can be leveraged by attackers for reconnaissance, facilitating further attacks such as lateral movement or targeted exploitation of cluster components. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, critical infrastructure) may face compliance risks if sensitive operational data is exposed. Additionally, attackers gaining insights into cluster performance and configuration could identify weaknesses or sensitive workloads. The impact is particularly relevant for multi-tenant or shared Kubernetes environments common in European cloud deployments, where namespace-level permissions are delegated. The vulnerability does not directly affect data integrity or availability but can be a stepping stone in a broader attack chain.
Mitigation Recommendations
To mitigate CVE-2025-2842, European organizations should: 1) Review and restrict permissions granted to users and service accounts, especially limiting 'create' permissions on TempoStack resources and 'get' permissions on Secrets within namespaces. Avoid granting ClusterAdmin or equivalent privileges scoped to namespaces unless strictly necessary. 2) Disable the Jaeger UI Monitor Tab functionality in Tempo instances unless explicitly required, as this feature triggers the creation of the risky ClusterRoleBinding. 3) Audit existing ClusterRoleBindings and Service Account tokens associated with Tempo Operator-managed resources to detect and remove any excessive privileges. 4) Implement Kubernetes RBAC best practices, including the principle of least privilege and regular permission reviews. 5) Monitor audit logs for unusual access patterns to Secrets or Tempo service account tokens. 6) Stay updated with Tempo Operator releases and apply patches or configuration changes addressing this vulnerability once available. 7) Consider network segmentation and use of Kubernetes Network Policies to limit access to monitoring endpoints and service accounts. These steps go beyond generic advice by focusing on the specific permission sets and features implicated in this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2025-03-27T02:38:55.497Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f99000acd01a249270038
Added to database: 5/22/2025, 9:37:04 PM
Last enriched: 7/8/2025, 5:10:06 AM
Last updated: 8/14/2025, 1:41:00 AM
Views: 12
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.