CVE-2024-25142

MEDIUM

Apache Airflow <2.9.2 - Info Disclosure

Title source: llm

Description

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue.

References (3)

[Patch] https://github.com/apache/airflow/pull/39550

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/06/13/1

Scores

CVSS v3 5.5

EPSS 0.0010

EPSS Percentile 27.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-525

Status published

Affected Products (2)

apache/airflow < 2.9.2

pypi/apache-airflow < 2.9.2PyPI

Timeline

Published Jun 14, 2024

Tracked Since Feb 18, 2026