CVE-2025-2842 Tempo-operator: tempo operator token exposition lead to read sensitive data

🗓️ 02 Apr 2025 11:09:55Reported by redhatType

CVE-2025-2842 exposes sensitive data due to flawed Tempo Operator token management in Jaeger UI Monitor.

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2025-2842	2 Apr 202512:56	–	circl
CNNVD	Grafana Tempo operator 信息泄露漏洞	2 Apr 202500:00	–	cnnvd
CVE	CVE-2025-2842	2 Apr 202511:09	–	cve
EUVD	EUVD-2025-9549	3 Oct 202520:07	–	euvd
Github Security Blog	Grafana Tempo Operator Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor	2 Apr 202515:31	–	github
NVD	CVE-2025-2842	2 Apr 202512:15	–	nvd
OSV	GHSA-5XF3-GMX4-529V Grafana Tempo Operator Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor	2 Apr 202515:31	–	osv
Positive Technologies	PT-2025-14479 · Unknown · Tempo Operator	2 Apr 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-2842	2 Apr 202511:07	–	redhatcve
RedHat Linux	Important: Red Hat Security Advisory: Red Hat OpenShift distributed tracing platform (Tempo) 3.5.1 release	4 Apr 202513:38	–	redhat

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "0.15.3",
        "versionType": "semver"
      }
    ],
    "packageName": "tempo-operator",
    "collectionURL": "https://github.com/grafana/tempo-operator",
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift distributed tracing 3.5.1",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhosdt/tempo-rhel8-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:233132300a9f5f019047a414b240f5b32c7563af8107bb52c4395892fdcd0fe0",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift distributed tracing 3.5.1",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhosdt/tempo-rhel8-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "sha256:be2ec2e3d3b21748cfe3b9382f7fc1f6c72d5f380fc97773518c254c6e5794ca",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift distributed tracing 3",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhosdt/tempo-gateway-opa-rhel8",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_distributed_tracing:3"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift distributed tracing 3",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhosdt/tempo-gateway-rhel8",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_distributed_tracing:3"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift distributed tracing 3",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhosdt/tempo-jaeger-query-rhel8",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_distributed_tracing:3"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift distributed tracing 3",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhosdt/tempo-query-rhel8",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_distributed_tracing:3"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift distributed tracing 3",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhosdt/tempo-rhel8",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift_distributed_tracing:3"
    ]
  }
]

Source	Link
access	www.access.redhat.com/security/cve/CVE-2025-2842
access	www.access.redhat.com/errata/RHSA-2025:3740
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
github	www.github.com/grafana/tempo-operator/pull/1144
access	www.access.redhat.com/errata/RHSA-2025:3607

22 Mar 2026 03:43Current

CVSS 3.14.3

EPSS0.00312

CWE-200

cve-2025-2842 tempo operator sensitive data exposure jaeger ui monitor token management clusterrolebinding