Red Hat Openshift Distributed Tracing
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Openshift Distributed Tracing.
Recent Red Hat Openshift Distributed Tracing Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:1431 | (RHSA-2026:1431) Red Hat OpenShift distributed tracing platform (Tempo) 3.8.2 release | January 27, 2026 |
| RHSA-2025:23421 | (RHSA-2025:23421) Red Hat OpenShift distributed tracing platform (Tempo) 3.8.1 release | December 16, 2025 |
| RHSA-2025:22618 | (RHSA-2025:22618) Red Hat OpenShift distributed tracing platform (Tempo) 3.8.0 release | December 2, 2025 |
| RHSA-2025:19807 | (RHSA-2025:19807) Red Hat OpenShift distributed tracing platform (Tempo) 3.7.1 release | November 5, 2025 |
| RHSA-2024:6274 | (RHSA-2024:6274) Moderate: Red Hat OpenShift distributed tracing 3.3.0 operator/operand containers | September 4, 2024 |
| RHSA-2024:3943 | (RHSA-2024:3943) Important: Red Hat OpenShift distributed tracing 3.2.1 operator containers security update | June 17, 2024 |
| RHSA-2024:1434 | (RHSA-2024:1434) Moderate: Red Hat OpenShift distributed tracing 3.1.1 operator/operand containers | March 20, 2024 |
| RHSA-2024:0998 | (RHSA-2024:0998) Low: Red Hat OpenShift distributed tracing 3.1.0 operator/operand containers | February 27, 2024 |
| RHSA-2023:7663 | (RHSA-2023:7663) Important: Red Hat OpenShift distributed tracing 3.0.0 operator/operand containers | December 6, 2023 |
| RHSA-2023:6180 | (RHSA-2023:6180) Important: Red Hat OpenShift distributed tracing 2.9.0 containers security update | October 30, 2023 |
By the Year
In 2026 there have been 1 vulnerability in Red Hat Openshift Distributed Tracing with an average score of 5.3 out of ten. Last year, in 2025 Openshift Distributed Tracing had 8 security vulnerabilities published. Right now, Openshift Distributed Tracing is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 0.99
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 5.30 |
| 2025 | 8 | 6.29 |
| 2024 | 1 | 7.50 |
| 2023 | 1 | 7.50 |
It may take a day or so for new Openshift Distributed Tracing vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Openshift Distributed Tracing Security Vulnerabilities
Information Disclosure in Go Viper Mapstructure WeakDecode via Error Messages
CVE-2025-11065
5.3 - Medium
- January 26, 2026
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
Generation of Error Message Containing Sensitive Information
libxslt Heap Corruption via atype Flag Manipulation
CVE-2025-7425
7.8 - High
- July 10, 2025
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.
Dangling pointer
OOB Read in libssh SFTP Handle (CVE-2025-5318)
CVE-2025-5318
8.1 - High
- June 24, 2025
A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.
Out-of-bounds Read
PAM Namespace Race: Local Priv Escal via Symlinks in linux-pam
CVE-2025-6020
7.8 - High
- June 17, 2025
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
Directory traversal
Integer Overflow in libarchive RAR Reader Causes Double-Free
CVE-2025-5914
7.8 - High
- June 09, 2025
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
Integer Overflow or Wraparound
GLib GString Integer Overflow Leading to Buffer Underrun
CVE-2025-4373
4.8 - Medium
- May 06, 2025
A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.
buffer underrun
Exploitable ClusterRoleBinding Escalation in Grafana Tempo Operator
CVE-2025-2842
4.3 - Medium
- April 02, 2025
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.
Information Disclosure
Tempo Operator Misconfiguration Exposes SA Tokens to Namespace Users
CVE-2025-2786
4.3 - Medium
- April 02, 2025
A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks.
Information Disclosure
serialize-javascript XSS via unsanitized regex input
CVE-2024-11831
5.4 - Medium
- February 10, 2025
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
XSS
OpenShift Telemeter JWT Auth 'iss' Bypass via Forged Token
CVE-2024-5037
7.5 - High
- June 05, 2024
A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication.
Authentication Bypass by Spoofing
HTTP/2 DoS via Stream Reset in nginx
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Openshift Distributed Tracing or by Red Hat? Click the Watch button to subscribe.
