CVE-2024-25142

EPSS 0.1%
Published 14.06.2024 09:15:09
Last modified 20.03.2025 20:15:31
Source security@apache.org
Teams watchlist Login
Open Login

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Airflow Version < 2.9.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.282

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-525 Use of Web Browser Cache Containing Sensitive Information

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

https://github.com/apache/airflow/pull/39550

Patch

https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2024/06/13/1

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-25142

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-25142

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-25142

EUVD