CVE-2024-25142

EPSS 0.1%
Veröffentlicht 14.06.2024 09:15:09
Zuletzt bearbeitet 20.03.2025 20:15:31
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version < 2.9.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.282

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-525 Use of Web Browser Cache Containing Sensitive Information

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

https://github.com/apache/airflow/pull/39550

Patch

https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2024/06/13/1

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-25142

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-25142

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-25142

EUVD