Vulnerabilites related to Red Hat - Red Hat OpenShift distributed tracing 3.5.1
cve-2025-2786
Vulnerability from cvelistv5
Published
2025-04-02 11:07
Modified
2025-04-09 20:28
Severity ?
EPSS score ?
Summary
A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2025:3607 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:3740 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2025-2786 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2354811 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Red Hat OpenShift distributed tracing 3.5.1 |
Unaffected: sha256:29c1be152c9b2ca9fa8af25a10f156f8731b8396e8b2bc82d6b398a5e5027fdf < * cpe:/a:redhat:openshift_distributed_tracing:3.5::el8 |
|||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-2786", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-02T13:53:24.818603Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-02T13:53:48.875Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", ], defaultStatus: "affected", packageName: "registry.redhat.io/rhosdt/tempo-rhel8-operator", product: "Red Hat OpenShift distributed tracing 3.5.1", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "sha256:29c1be152c9b2ca9fa8af25a10f156f8731b8396e8b2bc82d6b398a5e5027fdf", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", ], defaultStatus: "affected", packageName: "registry.redhat.io/rhosdt/tempo-rhel8-operator", product: "Red Hat OpenShift distributed tracing 3.5.1", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "sha256:e0e3273eceb8339638f2f1d91bb5eb6a57cfc0bc1442fcdea5fcff36812ccb4c", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-gateway-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-jaeger-query-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-query-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-rhel8-operator", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, ], datePublic: "2025-03-25T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-09T20:28:58.704Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2025:3607", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:3607", }, { name: "RHSA-2025:3740", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:3740", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2025-2786", }, { name: "RHBZ#2354811", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2354811", }, ], timeline: [ { lang: "en", time: "2025-03-25T11:13:18.903000+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2025-03-25T00:00:00+00:00", value: "Made public.", }, ], title: "Tempo-operator: serviceaccount token exposure leading to token and subject access reviews in openshift tempo operator", workarounds: [ { lang: "en", value: "Currently, no mitigation is available for this vulnerability.", }, ], x_redhatCweChain: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2025-2786", datePublished: "2025-04-02T11:07:43.285Z", dateReserved: "2025-03-25T10:51:16.783Z", dateUpdated: "2025-04-09T20:28:58.704Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-2842
Vulnerability from cvelistv5
Published
2025-04-02 11:09
Modified
2025-04-09 20:29
Severity ?
EPSS score ?
Summary
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole.
This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2025:3607 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:3740 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2025-2842 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2355219 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Red Hat OpenShift distributed tracing 3.5.1 |
Unaffected: sha256:29c1be152c9b2ca9fa8af25a10f156f8731b8396e8b2bc82d6b398a5e5027fdf < * cpe:/a:redhat:openshift_distributed_tracing:3.5::el8 |
|||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-2842", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-02T13:12:50.601180Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-02T13:25:51.661Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", ], defaultStatus: "affected", packageName: "registry.redhat.io/rhosdt/tempo-rhel8-operator", product: "Red Hat OpenShift distributed tracing 3.5.1", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "sha256:29c1be152c9b2ca9fa8af25a10f156f8731b8396e8b2bc82d6b398a5e5027fdf", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", ], defaultStatus: "affected", packageName: "registry.redhat.io/rhosdt/tempo-rhel8-operator", product: "Red Hat OpenShift distributed tracing 3.5.1", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "sha256:e0e3273eceb8339638f2f1d91bb5eb6a57cfc0bc1442fcdea5fcff36812ccb4c", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-gateway-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-jaeger-query-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-query-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "affected", packageName: "rhosdt/tempo-rhel8-operator", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, ], datePublic: "2025-03-27T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole.\nThis can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-09T20:29:15.309Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2025:3607", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:3607", }, { name: "RHSA-2025:3740", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:3740", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2025-2842", }, { name: "RHBZ#2355219", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2355219", }, ], timeline: [ { lang: "en", time: "2025-03-27T02:33:13.059000+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2025-03-27T00:00:00+00:00", value: "Made public.", }, ], title: "Tempo-operator: tempo operator token exposition lead to read sensitive data", workarounds: [ { lang: "en", value: "Currently, no mitigation is available for this vulnerability.", }, ], x_redhatCweChain: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2025-2842", datePublished: "2025-04-02T11:09:55.496Z", dateReserved: "2025-03-27T02:38:55.497Z", dateUpdated: "2025-04-09T20:29:15.309Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }