CVE-2025-2786

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:3607
https://access.redhat.com/errata/RHSA-2025:3740
https://access.redhat.com/security/cve/CVE-2025-2786
https://bugzilla.redhat.com/show_bug.cgi?id=2354811

Configurations

No configuration.

History

No history.

Information

Published : 2025-04-02 11:15

Updated : 2025-04-09 21:16

NVD link : CVE-2025-2786

Mitre link : CVE-2025-2786

CVE.ORG link : CVE-2025-2786

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-2786", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2025-04-02T11:15:39.300", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:3607", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2025:3740", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-2786", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354811", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks."}, {"lang": "es", "value": "Se detect\u00f3 una falla en Tempo Operator, que crea una cuenta de servicio, un rol de cl\u00faster y un enlace de rol de cl\u00faster cuando un usuario implementa una instancia de TempoStack o TempoMonolithic. Esta falla permite a un usuario con acceso completo a su espacio de nombres extraer el token de la cuenta de servicio y usarlo para enviar solicitudes TokenReview y SubjectAccessReview, lo que podr\u00eda revelar informaci\u00f3n sobre los permisos de otros usuarios. Si bien esto no permite la escalada de privilegios ni la suplantaci\u00f3n de identidad, expone informaci\u00f3n que podr\u00eda facilitar la recopilaci\u00f3n de informaci\u00f3n para futuros ataques."}], "lastModified": "2025-04-09T21:16:25.720", "sourceIdentifier": "secalert@redhat.com"}