oss-security - CVE-2024-25142: Apache Airflow: Cache Control - Storage of Sensitive Data in Browser Cache

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <29c57c8f-9adb-42bc-da5b-998269a688e9@apache.org>
Date: Thu, 13 Jun 2024 15:05:09 +0000
From: Jarek Potiuk <potiuk@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-25142: Apache Airflow: Cache Control - Storage of
 Sensitive Data in Browser Cache  

Severity: low

Affected versions:

- Apache Airflow before 2.9.2

Description:

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.

Credit:

Jens Scheffler (reporter)

References:

https://github.com/apache/airflow/pull/39550
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-25142

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.