CVE-2025-54064
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-17

Last updated on: 2025-07-17

Assigner: GitHub, Inc.

Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-17
Last Modified
2025-07-17
Generated
2026-05-07
AI Q&A
2025-07-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54064
EUVD
EUVD-2025-21779
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rucio rucio-webui 37.0.2
rucio rucio-server 37.0.2
rucio rucio-ui 37.0.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Rucio software framework's logging configuration, where the 'X-Rucio-Auth-Token' included in request headers is logged in the apache access logs. These tokens contain user credentials (internal tokens or JWTs), and logging them exposes sensitive authentication information. Although tokens are often truncated in logs, even partial credentials should not be recorded. This exposure risk increases if access logs are accessible to more users than just the instance administrators.


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of user credentials through access logs, potentially allowing attackers or unauthorized users who have access to these logs to obtain authentication tokens. This could result in unauthorized access to the Rucio system or data managed by it, especially if logs are accessible beyond trusted administrators.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by inspecting the Apache access logs of the Rucio components (rucio-server, rucio-ui, rucio-webui) for the presence of the 'X-Rucio-Auth-Token' header in the log entries. Since the token is included in the log format, searching the logs for this header will indicate exposure. For example, you can use commands like 'grep "X-Rucio-Auth-Token" /path/to/access.log' to find such entries.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating the Rucio helm-charts for rucio-server, rucio-ui, and rucio-webui to the patched versions (rucio-server 37.0.2, 35.0.1, 32.0.1; rucio-ui 37.0.4, 35.0.1, 32.0.2; rucio-webui 37.0.2, 35.1.1, 32.0.1). As a workaround, you can update the 'logFormat' variable in the helm-chart configuration to remove the 'X-Rucio-Auth-Token' from the Apache access log format, preventing tokens from being logged.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart