CVE-2025-2786: Tempo-operator: serviceaccount token exposure leading to token and subject access reviews in openshift tempo operator

Description

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.

Classification

CVE ID: CVE-2025-2786

Problem Types

Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat

Product: Red Hat OpenShift distributed tracing 3, Red Hat OpenShift distributed tracing 3, Red Hat OpenShift distributed tracing 3, Red Hat OpenShift distributed tracing 3, Red Hat OpenShift distributed tracing 3, Red Hat OpenShift distributed tracing 3

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 4.93% (scored less or equal to compared to others)

EPSS Date: 2025-04-29 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2786
https://access.redhat.com/security/cve/CVE-2025-2786
https://bugzilla.redhat.com/show_bug.cgi?id=2354811

Timeline

2025-04-02 12:40:14 UTC
CVE

Tempo-operator: serviceaccount token exposure leading to token and subject access reviews in openshift tempo operator