Skip to main content

CVE-2025-2842: Exposure of Sensitive Information to an Unauthorized Actor

Medium
VulnerabilityCVE-2025-2842cvecve-2025-2842
Published: Wed Apr 02 2025 (04/02/2025, 11:09:55 UTC)
Source: CVE

Description

A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.

AI-Powered Analysis

AILast updated: 07/08/2025, 05:10:06 UTC

Technical Analysis

CVE-2025-2842 is a medium-severity vulnerability affecting the Tempo Operator, a Kubernetes operator used to manage Tempo instances for distributed tracing. The flaw arises when the Jaeger UI Monitor Tab functionality is enabled within a Tempo instance managed by the Tempo Operator. In this configuration, the Operator creates a ClusterRoleBinding that assigns the cluster-monitoring-view ClusterRole to the Service Account of the Tempo instance. This role grants read access to cluster metrics. The vulnerability can be exploited if an attacker has 'create' permissions on TempoStack resources and 'get' permissions on Kubernetes Secrets within a namespace, which is plausible if the attacker holds ClusterAdmin permissions scoped to that namespace. By leveraging these permissions, the attacker can read the token associated with the Tempo service account. Possession of this token allows the attacker to impersonate the Tempo service account and access all cluster metrics, potentially exposing sensitive operational data. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and results in limited confidentiality impact without affecting integrity or availability. No known exploits are reported in the wild as of the publication date. The vulnerability highlights a privilege escalation path through misconfigured role bindings and excessive permissions granted by the Tempo Operator when enabling the Jaeger UI Monitor Tab feature.

Potential Impact

For European organizations running Kubernetes clusters with Tempo Operator-managed Tempo instances, this vulnerability could lead to unauthorized disclosure of cluster metrics and monitoring data. While the direct impact on confidentiality is limited to metrics data, such information can be leveraged by attackers for reconnaissance, facilitating further attacks such as lateral movement or targeted exploitation of cluster components. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, critical infrastructure) may face compliance risks if sensitive operational data is exposed. Additionally, attackers gaining insights into cluster performance and configuration could identify weaknesses or sensitive workloads. The impact is particularly relevant for multi-tenant or shared Kubernetes environments common in European cloud deployments, where namespace-level permissions are delegated. The vulnerability does not directly affect data integrity or availability but can be a stepping stone in a broader attack chain.

Mitigation Recommendations

To mitigate CVE-2025-2842, European organizations should: 1) Review and restrict permissions granted to users and service accounts, especially limiting 'create' permissions on TempoStack resources and 'get' permissions on Secrets within namespaces. Avoid granting ClusterAdmin or equivalent privileges scoped to namespaces unless strictly necessary. 2) Disable the Jaeger UI Monitor Tab functionality in Tempo instances unless explicitly required, as this feature triggers the creation of the risky ClusterRoleBinding. 3) Audit existing ClusterRoleBindings and Service Account tokens associated with Tempo Operator-managed resources to detect and remove any excessive privileges. 4) Implement Kubernetes RBAC best practices, including the principle of least privilege and regular permission reviews. 5) Monitor audit logs for unusual access patterns to Secrets or Tempo service account tokens. 6) Stay updated with Tempo Operator releases and apply patches or configuration changes addressing this vulnerability once available. 7) Consider network segmentation and use of Kubernetes Network Policies to limit access to monitoring endpoints and service accounts. These steps go beyond generic advice by focusing on the specific permission sets and features implicated in this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
redhat
Date Reserved
2025-03-27T02:38:55.497Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682f99000acd01a249270038

Added to database: 5/22/2025, 9:37:04 PM

Last enriched: 7/8/2025, 5:10:06 AM

Last updated: 7/28/2025, 5:26:35 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats