216.73.217.64

CVE-2025-54064

· Published 17/07/2025 15:15 · Modified 17/07/2025 21:15

Labels: CVE-2025-54064 2025-07-17CVE-2025-54064CWE-532[email protected]

Essential information

Published
17/07/2025 15:15
Modified
17/07/2025 21:15
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
rucio / rucio-server cpe:2.3:a:rucio:rucio-server:37.0.2:*:*:*:*:*:*:*
rucio / rucio-server cpe:2.3:a:rucio:rucio-server:35.0.1:*:*:*:*:*:*:*
rucio / rucio-server cpe:2.3:a:rucio:rucio-server:32.0.1:*:*:*:*:*:*:*
rucio / rucio-ui cpe:2.3:a:rucio:rucio-ui:37.0.4:*:*:*:*:*:*:*
rucio / rucio-ui cpe:2.3:a:rucio:rucio-ui:35.0.1:*:*:*:*:*:*:*
rucio / rucio-ui cpe:2.3:a:rucio:rucio-ui:32.0.2:*:*:*:*:*:*:*
rucio / rucio-webui cpe:2.3:a:rucio:rucio-webui:37.0.2:*:*:*:*:*:*:*
rucio / rucio-webui cpe:2.3:a:rucio:rucio-webui:35.1.1:*:*:*:*:*:*:*
rucio / rucio-webui cpe:2.3:a:rucio:rucio-webui:32.0.1:*:*:*:*:*:*:*

References