CVE-2024-25142 — Use of Web Browser Cache Containing Sensitive Information in Software Foundation Apache Airflow

CWE-525 — Use of Web Browser Cache Containing Sensitive Information5 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 71.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedJun 14

Description

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/airflow< 2.9.2

▶CVEListV5apache_software_foundation/apache_airflow< 2.9.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-25142: Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow↗2024-06-14

▶

OSV

Apache Airflow does not return the "Cache-Control" header for dynamic content↗2024-06-14

▶

CVEList

Apache Airflow: Cache Control - Storage of Sensitive Data in Browser Cache↗2024-06-14

▶

GHSA

Apache Airflow does not return the "Cache-Control" header for dynamic content↗2024-06-14

▶