CVE-2025-54064

Name of the Vulnerable Software and Affected Versions rucio-server versions 37.0.2, 35.0.1, and 32.0.1 rucio-ui versions 37.0.4, 35.0.1, and 32.0.2 rucio-webui versions 37.0.2, 35.1.1, and 32.0.1

Description Rucio is a software framework used to organize, manage, and access large volumes of scientific data. The X-Rucio-Auth-Token header, containing user credentials, is included in the Apache access log format for rucio-server, rucio-ui, and rucio-webui components. This exposes potentially sensitive credentials (Internal Rucio token or JWT) in the access logs, especially if these logs are accessible to unauthorized individuals.

Recommendations rucio-server versions prior to 37.0.2, 35.0.1, and 32.0.1: Update to version 37.0.2, 35.0.1, or 32.0.1. rucio-ui versions prior to 37.0.4, 35.0.1, and 32.0.2: Update to version 37.0.4, 35.0.1, or 32.0.2. rucio-webui versions prior to 37.0.2, 35.1.1, and 32.0.1: Update to version 37.0.2, 35.1.1, or 32.0.1. As a workaround, update the logFormat variable to remove the X-Rucio-Auth-Token.