{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-02T17:16:40.802","vulnerabilities":[{"cve":{"id":"CVE-2025-2842","sourceIdentifier":"secalert@redhat.com","published":"2025-04-02T12:15:14.677","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole.\nThis can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics."},{"lang":"es","value":"Se detectó una falla en Tempo Operator. Al habilitar la pestaña Monitor de la interfaz de usuario de Jaeger en una instancia de Tempo administrada por el operador Tempo, este crea un ClusterRoleBinding para la cuenta de servicio de la instancia de Tempo para otorgar el ClusterRole de vista de monitorización de clúster. Esto puede explotarse si un usuario tiene permisos de creación en TempoStack y permisos de obtención en Secret en un espacio de nombres (por ejemplo, un usuario tiene permisos de administrador de clúster para un espacio de nombres específico), ya que el usuario puede leer el token de la cuenta de servicio de Tempo y, por lo tanto, tiene acceso para ver todas las métricas del clúster."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2025:3607","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2025:3740","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2025-2842","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2355219","source":"secalert@redhat.com"},{"url":"https://github.com/grafana/tempo-operator/pull/1144","source":"secalert@redhat.com"}]}}]}