CVE-2025-2842 is a vulnerability discovered in the Tempo Operator, a Kubernetes operator managing Tempo instances for distributed tracing. The flaw arises when the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Operator. Under this configuration, the Operator automatically creates a ClusterRoleBinding that assigns the cluster-monitoring-view ClusterRole to the Service Account used by the Tempo instance. This role grants read access to cluster metrics, which are sensitive operational data. The vulnerability can be exploited if an attacker or user has 'create' permissions on TempoStack resources and 'get' permissions on Kubernetes Secrets within a namespace. For example, a user with ClusterAdmin privileges scoped to a namespace can retrieve the token of the Tempo service account by reading the Secret object containing the token. Possession of this token allows the user to impersonate the Tempo service account and access all cluster metrics via the cluster-monitoring-view role. The vulnerability does not require user interaction and can be exploited remotely (network vector). The CVSS 3.1 base score is 4.3 (medium), reflecting low impact on confidentiality (only cluster metrics exposure), no impact on integrity or availability, and the need for some privileges to exploit. There are no known public exploits reported to date. The issue highlights the risk of overly permissive RBAC configurations combined with automatic privilege escalations by operators managing observability components in Kubernetes clusters.

For European organizations, the exposure of cluster metrics can lead to leakage of sensitive operational data, potentially revealing infrastructure details, performance characteristics, and internal cluster topology. While this does not directly compromise data integrity or availability, it can aid attackers in reconnaissance and planning further attacks. Organizations with multi-tenant Kubernetes clusters or strict data privacy requirements may face compliance risks if sensitive monitoring data is exposed. The vulnerability is particularly impactful in environments where namespace-level RBAC permissions are broadly assigned, increasing the risk that a compromised or malicious user can escalate privileges. Given the growing adoption of Kubernetes and observability tools like Tempo in European enterprises, especially in sectors such as finance, telecommunications, and critical infrastructure, this vulnerability could facilitate lateral movement or targeted attacks if combined with other vulnerabilities or insider threats.

To mitigate CVE-2025-2842, European organizations should: 1) Review and tighten RBAC permissions, ensuring that 'create' permissions on TempoStack and 'get' permissions on Secrets are only granted to trusted users and service accounts. 2) Disable the Jaeger UI Monitor Tab functionality in Tempo instances if it is not strictly required, preventing the automatic creation of the ClusterRoleBinding that grants broad cluster monitoring access. 3) Monitor and audit access to Kubernetes Secrets, especially those containing service account tokens, to detect unauthorized reads. 4) Implement network segmentation and restrict access to the Kubernetes API server to minimize exposure. 5) Employ Kubernetes Pod Security Policies or OPA Gatekeeper policies to enforce least privilege principles. 6) Keep the Tempo Operator and related components updated with any patches or security advisories addressing this issue. 7) Consider using Kubernetes features like Bound Service Account Tokens to reduce token exposure risks. 8) Educate cluster administrators on the risks of granting broad namespace-level permissions and the implications of operator-managed role bindings.