{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2786", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-03-25T10:51:16.783Z", "datePublished": "2025-04-02T11:07:43.285Z", "dateUpdated": "2025-04-09T20:28:58.704Z"}, "containers": {"cna": {"title": "Tempo-operator: serviceaccount token exposure leading to token and subject access reviews in openshift tempo operator", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3.5.1", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "registry.redhat.io/rhosdt/tempo-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "sha256:29c1be152c9b2ca9fa8af25a10f156f8731b8396e8b2bc82d6b398a5e5027fdf", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3.5::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3.5.1", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "registry.redhat.io/rhosdt/tempo-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "sha256:e0e3273eceb8339638f2f1d91bb5eb6a57cfc0bc1442fcdea5fcff36812ccb4c", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3.5::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhosdt/tempo-gateway-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhosdt/tempo-jaeger-query-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhosdt/tempo-query-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhosdt/tempo-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhosdt/tempo-rhel8-operator", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:3607", "name": "RHSA-2025:3607", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:3740", "name": "RHSA-2025:3740", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-2786", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354811", "name": "RHBZ#2354811", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-03-25T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "workarounds": [{"lang": "en", "value": "Currently, no mitigation is available for this vulnerability."}], "timeline": [{"lang": "en", "time": "2025-03-25T11:13:18.903000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-03-25T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-04-09T20:28:58.704Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-02T13:53:24.818603Z", "id": "CVE-2025-2786", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-02T13:53:48.875Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2786", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-02T13:53:24.818603Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-02T13:53:32.587Z"}}], "cna": {"title": "Tempo-operator: serviceaccount token exposure leading to token and subject access reviews in openshift tempo operator", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3.5::el8"], "vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3.5.1", "versions": [{"status": "unaffected", "version": "sha256:29c1be152c9b2ca9fa8af25a10f156f8731b8396e8b2bc82d6b398a5e5027fdf", "lessThan": "*", "versionType": "rpm"}], "packageName": "registry.redhat.io/rhosdt/tempo-rhel8-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3.5::el8"], "vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3.5.1", "versions": [{"status": "unaffected", "version": "sha256:e0e3273eceb8339638f2f1d91bb5eb6a57cfc0bc1442fcdea5fcff36812ccb4c", "lessThan": "*", "versionType": "rpm"}], "packageName": "registry.redhat.io/rhosdt/tempo-rhel8-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"], "vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "packageName": "rhosdt/tempo-gateway-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"], "vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "packageName": "rhosdt/tempo-jaeger-query-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"], "vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "packageName": "rhosdt/tempo-query-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"], "vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "packageName": "rhosdt/tempo-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_distributed_tracing:3"], "vendor": "Red Hat", "product": "Red Hat OpenShift distributed tracing 3", "packageName": "rhosdt/tempo-rhel8-operator", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-03-25T11:13:18.903000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-03-25T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-03-25T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:3607", "name": "RHSA-2025:3607", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:3740", "name": "RHSA-2025:3740", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-2786", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354811", "name": "RHBZ#2354811", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Currently, no mitigation is available for this vulnerability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-04-09T20:28:58.704Z"}, "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}}, "cveMetadata": {"cveId": "CVE-2025-2786", "state": "PUBLISHED", "dateUpdated": "2025-04-09T20:28:58.704Z", "dateReserved": "2025-03-25T10:51:16.783Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-04-02T11:07:43.285Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks."}, {"lang": "es", "value": "Se detect\u00f3 una falla en Tempo Operator, que crea una cuenta de servicio, un rol de cl\u00faster y un enlace de rol de cl\u00faster cuando un usuario implementa una instancia de TempoStack o TempoMonolithic. Esta falla permite a un usuario con acceso completo a su espacio de nombres extraer el token de la cuenta de servicio y usarlo para enviar solicitudes TokenReview y SubjectAccessReview, lo que podr\u00eda revelar informaci\u00f3n sobre los permisos de otros usuarios. Si bien esto no permite la escalada de privilegios ni la suplantaci\u00f3n de identidad, expone informaci\u00f3n que podr\u00eda facilitar la recopilaci\u00f3n de informaci\u00f3n para futuros ataques."}], "id": "CVE-2025-2786", "lastModified": "2025-04-09T21:16:25.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-04-02T11:15:39.300", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:3607"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:3740"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-2786"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354811"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3607", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package": "registry.redhat.io/rhosdt/tempo-rhel8-operator:sha256:cbe0df797c34aebfec911c281fbfee9fe7713a4c45d778ae480cd6a7bcab202e", "product_name": "Red Hat OpenShift distributed tracing 3.5.1", "release_date": "2025-04-04T00:00:00Z"}, {"advisory": "RHSA-2025:3740", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package": "registry.redhat.io/rhosdt/tempo-rhel8-operator:sha256:9f3e34f7d7f600ca57a2cfa2abc665a12b9170595de8f99ee36025e8f4311ea2", "product_name": "Red Hat OpenShift distributed tracing 3.5.1", "release_date": "2025-04-09T00:00:00Z"}], "bugzilla": {"description": "tempo-operator: ServiceAccount Token Exposure Leading to Token and Subject Access Reviews in OpenShift Tempo Operator", "id": "2354811", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354811"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.", "A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks."], "mitigation": {"lang": "en:us", "value": "Currently, no mitigation is available for this vulnerability."}, "name": "CVE-2025-2786", "package_state": [{"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-gateway-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-rhel8-operator", "product_name": "Red Hat OpenShift distributed tracing 3"}], "public_date": "2025-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-2786\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-2786"], "statement": "Red Hat has evaluated this vulnerability and rated with a Moderate impact as the attacker is limited to read access and requires previous permissions to read the token and get access to the cluster metrics.", "threat_severity": "Moderate"}