{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T13:08:34.494","vulnerabilities":[{"cve":{"id":"CVE-2025-54064","sourceIdentifier":"security-advisories@github.com","published":"2025-07-17T15:15:27.733","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`."},{"lang":"es","value":"Rucio es un framework de software que proporciona funcionalidad para organizar, administrar y acceder a grandes volúmenes de datos científicos mediante políticas personalizables. Los diagramas de Helm comunes de Rucio para `rucio-server`, `rucio-ui` y `rucio-webui` definen el formato de registro para el registro de acceso de Apache de estos componentes. El `X-Rucio-Auth-Token`, que forma parte de cada encabezado de solicitud enviado a Rucio, es parte de este formato de registro. Por lo tanto, cada línea de registro de acceso expone potencialmente las credenciales (token interno de Rucio o JWT en caso de autenticación OIDC) del usuario. Debido a la longitud del token (especialmente para un JWT), los tokens a menudo se truncan y, por lo tanto, no se pueden usar como credenciales; sin embargo, la credencial (parcial) no debe formar parte del archivo de registro. El impacto de este problema se amplifica si los registros de acceso se ponen a disposición de un grupo más amplio de personas que los propios administradores de instancias. Se ha publicado una versión actualizada para los diagramas de Helm `rucio-server`, `rucio-ui` y `rucio-webui`. El cambio también se implementó para las versiones LTS de Rucio actualmente compatibles. Las versiones parcheadas son rucio-server 37.0.2, 35.0.1 y 32.0.1; rucio-ui 37.0.4, 35.0.1 y 32.0.2; y rucio-webui 37.0.2, 35.1.1 y 32.0.1. Como solución alternativa, se puede actualizar la variable `logFormat` y eliminar el `X-Rucio-Auth-Token`."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-532"}]}],"references":[{"url":"https://github.com/rucio/helm-charts/security/advisories/GHSA-cmfq-f2v2-vj33","source":"security-advisories@github.com"}]}}]}