CVE-2025-2842 is a vulnerability discovered in the Tempo Operator, specifically when the Jaeger UI Monitor Tab functionality is enabled. The Tempo Operator, responsible for managing Tempo instances in Kubernetes clusters, creates a ClusterRoleBinding that assigns the cluster-monitoring-view ClusterRole to the service account used by the Tempo instance. This role grants read access to cluster metrics, which are sensitive operational data. The vulnerability arises because a user who has 'create' permissions on TempoStack resources and 'get' permissions on Kubernetes Secrets within a namespace can retrieve the token of the Tempo service account by reading the Secret associated with it. With this token, the attacker can impersonate the Tempo service account and access all cluster metrics that the cluster-monitoring-view ClusterRole permits. This scenario typically requires the user to have elevated privileges within a namespace, such as ClusterAdmin permissions scoped to that namespace. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 4.3 (medium), reflecting the limited scope and required privileges for exploitation. No integrity or availability impacts are reported, and no known exploits have been observed in the wild. The flaw highlights the risk of over-privileging service accounts and the importance of strict RBAC controls in Kubernetes environments.

The primary impact of CVE-2025-2842 is the unauthorized disclosure of sensitive cluster metrics, which can reveal detailed operational and performance information about the Kubernetes environment. Such information could be leveraged by attackers for reconnaissance, aiding in further attacks or lateral movement within the cluster. While the vulnerability does not directly compromise data integrity or availability, the exposure of monitoring data can undermine security posture and operational confidentiality. Organizations with multi-tenant clusters or those that delegate namespace-level admin privileges are particularly at risk, as attackers with limited but sufficient permissions can escalate their visibility. This could lead to increased risk of targeted attacks or exploitation of other vulnerabilities based on the exposed metrics. The vulnerability also underscores the risk of excessive permissions granted by default configurations, which may not align with the principle of least privilege. Although no active exploitation is reported, the presence of this vulnerability in environments using Tempo Operator with Jaeger UI monitoring enabled could attract attackers seeking to gather intelligence on cluster operations.

To mitigate CVE-2025-2842, organizations should first assess whether the Jaeger UI Monitor Tab functionality is enabled in their Tempo Operator deployments. If not required, disabling this feature will prevent the creation of the problematic ClusterRoleBinding. For environments that require this functionality, administrators should carefully audit and restrict permissions on TempoStack resources and Kubernetes Secrets within namespaces. Specifically, avoid granting 'create' permissions on TempoStack and 'get' permissions on Secrets to users or service accounts unless absolutely necessary. Implement strict RBAC policies that enforce the principle of least privilege, limiting access to only those users who require it for their role. Additionally, consider monitoring and alerting on unusual access patterns to Secrets and service account tokens. Regularly update the Tempo Operator to the latest versions once patches addressing this vulnerability are released. Employ network segmentation and Kubernetes Pod Security Policies or OPA Gatekeeper policies to further restrict access to sensitive resources. Finally, conduct periodic security reviews of cluster roles and bindings to detect and remediate over-privileged accounts.