Malicious Package

Overview jaeger-ui-monorepo is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

EUVD-2023-40600

Malicious code in bioql PyPI...

Important: Red Hat Security Advisory: Red Hat OpenShift distributed tracing platform (Tempo) 3.7.0 release

Red Hat OpenShift distributed tracing platform Tempo 3.7.0 has been released This release of the Red Hat OpenShift distributed tracing platform Tempo provides new features, security improvements, and bug fixes. Breaking changes: Nothing Deprecations: Nothing Technology Preview features: Nothing...

Grafana Tempo Operator Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be...

GHSA-5XF3-GMX4-529V Grafana Tempo Operator Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions when using the Jaeger UI Monitor tab on OpenShift. A user with create permissions on TempoStack and get permissions on a namespaced Secret can read the token of the Tempo service account and subsequently...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions when using the Jaeger UI Monitor tab on OpenShift. A user with create permissions on TempoStack and get permissions on a namespaced Secret can read the token of the Tempo service account and subsequently...

CVE-2025-2842 Tempo-operator: tempo operator token exposition lead to read sensitive data

A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be...

MAL-2025-841 Malicious code in jaeger-ui-monorepo (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in jaeger-ui (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8f04434e6edf034f78f31f1b79371ae9218b708a68c422adb97016129e0d42b9 Any computer that has this package installed or running should be considered...

MAL-2025-668 Malicious code in jaeger-ui (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8f04434e6edf034f78f31f1b79371ae9218b708a68c422adb97016129e0d42b9 Any computer that has this package installed or running should be considered...

CVE-2023-36656

A flaw was found in the jaeger-ui package. A Cross-site scripting vulnerability allows a remote attacker to execute arbitrary code via the KeyValuesTable component...

CVE-2023-36656

Cross Site Scripting XSS vulnerability in Jaegertracing Jaeger UI before v.1.31.0 allows a remote attacker to execute arbitrary code via the KeyValuesTable component...

CVE-2023-36656

Cross Site Scripting XSS vulnerability in Jaegertracing Jaeger UI before v.1.31.0 allows a remote attacker to execute arbitrary code via the KeyValuesTable component...

CVE-2023-36656

CVE-2023-36656 affects Jaeger UI prior to version 1.31.0. The issue is a Cross-Site Scripting (XSS) vulnerability in the KeyValuesTable component that can allow a remote attacker to execute arbitrary code in a victim’s browser. Affected software: Jaeger UI. Root cause: unsanitized input handling ...

Cross-Site Scripting (XSS)

github.com/jaegertracing/jaeger and gloo-jaeger-ui are vulnerable to Cross-Site Scripting XSS attacks. The vulnerability is triggered when rendering key-value tables in jaeger UI using the KeyValuesTable component, which allows an attacker to inject and execute malicious javascript on a victim's...

A stored XSS in jaeger UI might allow an attacker who controls a trace to perform arbitrary jaeger queries

Related UI vulnerability advisory: https://github.com/jaegertracing/jaeger-ui/security/advisories/GHSA-vv24-rm95-q56r Summary Jaeger UI is using the json-markup dependency to display span attributes and resources. This dependency is not sanitising keys of an object though, thus the KeyValuesTable...

GHSA-2W8W-QHG4-F78J A stored XSS in jaeger UI might allow an attacker who controls a trace to perform arbitrary jaeger queries

Related UI vulnerability advisory: https://github.com/jaegertracing/jaeger-ui/security/advisories/GHSA-vv24-rm95-q56r Summary Jaeger UI is using the json-markup dependency to display span attributes and resources. This dependency is not sanitising keys of an object though, thus the KeyValuesTable...

CVE-2023-36656

creationtimestamp| type| source ---|---|--- 2023-07-11 15:33:08+00:00| published-proof-of-concept| https://github.com/jaegertracing/jaeger-ui/security/advisories/GHSA-vv24-rm95-q56r 2023-07-11 15:40:38+00:00| published-proof-of-concept|...