Stevenctimm

**Name of the Vulnerable Software and Affected Versions** rucio-server versions 37.0.2, 35.0.1, and 32.0.1 rucio-ui versions 37.0.4, 35.0.1, and 32.0.2 rucio-webui versions 37.0.2, 35.1.1, and 32.0.1 **Description** Rucio is a software framework used to organize, manage, and access large volumes of scientific data. The `X-Rucio-Auth-Token` header, containing user credentials, is included in the Apache access log format for `rucio-server`, `rucio-ui`, and `rucio-webui` components. This exposes potentially sensitive credentials (Internal Rucio token or JWT) in the access logs, especially if these logs are accessible to unauthorized individuals. **Recommendations** rucio-server versions prior to 37.0.2, 35.0.1, and 32.0.1: Update to version 37.0.2, 35.0.1, or 32.0.1. rucio-ui versions prior to 37.0.4, 35.0.1, and 32.0.2: Update to version 37.0.4, 35.0.1, or 32.0.2. rucio-webui versions prior to 37.0.2, 35.1.1, and 32.0.1: Update to version 37.0.2, 35.1.1, or 32.0.1. As a workaround, update the `logFormat` variable to remove the `X-Rucio-Auth-Token`.