Skip to content

Insertion of X-Rucio-Auth-Token in apache access logfiles

Moderate
bari12 published GHSA-cmfq-f2v2-vj33 Jul 16, 2025

Package

rucio-server (helm-charts)

Affected versions

<=37.0.1 (except for 35.0.1 and 32.0.1)

Patched versions

37.0.2, 35.0.1, 32.0.1
rucio-ui (helm-charts)
<=37.0.3 (except for 35.0.1 and 32.0.2)
37.0.4, 35.0.1, 32.0.2
rucio-webui (helm-charts)
<=37.0.1 (except for 35.1.1 and 32.0.1)
37.0.2, 35.1.1, 32.0.1

Description

Impact

The common Rucio helm-charts for the rucio-server, rucio-ui, and rucio-webui define the log format for the apache access log of these components. The X-Rucio-Auth-Token, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user.

Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile.

The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves.

Patches

An updated release has been supplied for the rucio-server, rucio-ui and rucio-webui helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are:

  • rucio-server: 37.0.2, 35.0.1, 32.0.1
  • rucio-ui: 37.0.4, 35.0.1, 32.0.2
  • rucio-webui: 37.0.2, 35.1.1, 32.0.1

Workarounds

Updating the logFormat variable and removing the X-Rucio-Auth-Token is possible as well.

Severity

Moderate

CVE ID

CVE-2025-54064

Weaknesses

Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file. Learn more on MITRE.

Credits