GHSA-28gr-56hr-prp6

Suggest an improvement
Source
https://github.com/advisories/GHSA-28gr-56hr-prp6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-28gr-56hr-prp6/GHSA-28gr-56hr-prp6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-28gr-56hr-prp6
Aliases
Published
2025-04-02T15:31:36Z
Modified
2026-05-20T19:41:28.400140547Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Grafana Tempo Operator Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Details

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.

Database specific 
{
    "nvd_published_at": "2025-04-02T11:15:39Z",
    "github_reviewed_at": "2026-05-11T13:53:40Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Go / github.com/grafana/tempo-operator

Package

Name
github.com/grafana/tempo-operator
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/tempo-operator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.16.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-28gr-56hr-prp6/GHSA-28gr-56hr-prp6.json"