216.73.216.86

CVE-2025-2786

· Published 02/04/2025 11:15 · Modified 02/04/2025 14:58

Labels: CVE-2025-2786 2025-04-02CVE-2025-2786CWE-200[email protected]

Essential information

Published
02/04/2025 11:15
Modified
02/04/2025 14:58
Author
Creator
CVSS
4.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS metrics

Description

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
red hat / tempo operator cpe:2.3:a:red_hat:tempo_operator:*:*:*:*:*:*:*:*

References