CVE-2025-54064
Essential information
- Published
- 17/07/2025 15:15
- Modified
- 17/07/2025 21:15
- Author
- —
- Creator
- —
- CVSS
- 6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
—
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- NETWORK
- Attack complexity
- LOW
- Attack requirements
- NONE
- Privileges required
- NONE
- User interaction
- NONE
- Confidentiality (V)
- LOW
- Confidentiality (S)
- NONE
- Integrity (V)
- NONE
- Integrity (S)
- NONE
- Availability (V)
- NONE
- Availability (S)
- NONE
- Exploit maturity
- NOT_DEFINED
Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`.
NVD status
- Status
- Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| rucio / rucio-server | cpe:2.3:a:rucio:rucio-server:37.0.2:*:*:*:*:*:*:* |
| rucio / rucio-server | cpe:2.3:a:rucio:rucio-server:35.0.1:*:*:*:*:*:*:* |
| rucio / rucio-server | cpe:2.3:a:rucio:rucio-server:32.0.1:*:*:*:*:*:*:* |
| rucio / rucio-ui | cpe:2.3:a:rucio:rucio-ui:37.0.4:*:*:*:*:*:*:* |
| rucio / rucio-ui | cpe:2.3:a:rucio:rucio-ui:35.0.1:*:*:*:*:*:*:* |
| rucio / rucio-ui | cpe:2.3:a:rucio:rucio-ui:32.0.2:*:*:*:*:*:*:* |
| rucio / rucio-webui | cpe:2.3:a:rucio:rucio-webui:37.0.2:*:*:*:*:*:*:* |
| rucio / rucio-webui | cpe:2.3:a:rucio:rucio-webui:35.1.1:*:*:*:*:*:*:* |
| rucio / rucio-webui | cpe:2.3:a:rucio:rucio-webui:32.0.1:*:*:*:*:*:*:* |