CVE-2025-54064

July 17, 2025, 9:15 p.m.

6.9
Medium

Description

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`.

Product(s) Impacted

Vendor Product Versions
Rucio
  • Rucio-server
  • Rucio-ui
  • Rucio-webui
  • 37.0.2, 35.0.1, 32.0.1
  • 37.0.4, 35.0.1, 32.0.2
  • 37.0.2, 35.1.1, 32.0.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-532
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a rucio rucio-server 37.0.2 / / / / / / /
a rucio rucio-server 35.0.1 / / / / / / /
a rucio rucio-server 32.0.1 / / / / / / /
a rucio rucio-ui 37.0.4 / / / / / / /
a rucio rucio-ui 35.0.1 / / / / / / /
a rucio rucio-ui 32.0.2 / / / / / / /
a rucio rucio-webui 37.0.2 / / / / / / /
a rucio rucio-webui 35.1.1 / / / / / / /
a rucio rucio-webui 32.0.1 / / / / / / /

References

https://github.com/rucio/helm-charts/security/advisories/GHSA-cmfq-f2v2-vj33

Tags

security-advisories@github.com
CWE-532
2025-07-17
CVE-2025-54064

CVSS Score

6.9 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: July 17, 2025, 3:15 p.m.
Last Modified: July 17, 2025, 9:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.