Received: by 2002:a89:413:0:b0:1fd:dba5:e537 with SMTP id m19csp214658lqs; Thu, 13 Jun 2024 08:10:58 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV6lor/iRaasJ47FYi4+KybTYkvXwM9vGA2vJw3LmHr5FFA7pEQFopgSV+FKMV0EadgjRFY4zMy/blnwCaTYHRufaahhmDknbEYxJoDLA== X-Google-Smtp-Source: AGHT+IHeiRPh20WGAa1JKVKbE1gr+8vsdCxjmsXFiQ9riOs7b4+4hq8Q7BtyInTfewrML+g5iZh9 X-Received: by 2002:a17:906:c24c:b0:a6f:5c34:34e3 with SMTP id a640c23a62f3a-a6f60dc8a06mr1599466b.62.1718291458521; Thu, 13 Jun 2024 08:10:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718291458; cv=none; d=google.com; s=arc-20160816; b=KWLcGoSQewNJhKZM9YPFNJrykaG/OMdxNxHrzd3qT69IAeY7wv01erbHZUefR7HFQR k2dAarJwnX4/WvSyq753HwhPSCCNF7xSqc2IRjQHSRaYKrc60jpoGFsQAwDIMqBwmPal xU02tu39N6MobIqW215gzvf7Lfr7xMm6/DegPqbedWhnZ5eIpmIT8GbAPyLPXBAvOn0o wJW0wlmhICU0O2CE8v9PGgEHwh8Lrt+hW77rHZ0AfMsvHoMF5ge1PaSps/Mm1U7JM4Km GyDmIMRjb15NKv9tJzBpslpBiLLNK/36QYjbyZSTp6tWg+LJQYejZ4THXo0dQuwfCWce 9ufg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:date:content-transfer-encoding:message-id:to :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=VTgZzDbGF/WFZZyc3T6gPKQBWZ6KSwh1vnmTP0Fn0AE=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=tMDklSjht0vcQuBKg3liDA+J04ZtQziFIwzrBmJX8DuuKS/x5gJMU5+uZlBFwuQvgO bcIj2kARlJ3ckS/3Fa6eBMny3hnaiLXB73a7jqHhMRWCLjK50UWzcKQLK77pKAkqsRm7 D6mvjyWEX2zhvsjMEh69AwQlGVr7/4dCMR7pQvGwI6eQktHTwWSoBo9AQ/RLyyDXo0qA 7I0+tR301CyPenbgd8OMdIVTlGFRpoodTO3zCIHaLkw/WdzGXHm1mmrMGj9N1S9yai6m X41+KNrYXlArJUb7K4wzQj/RajZW2mjkGhRDPnNSgusq2yi/na06C/Pq0l+1VRQsvTXI qY4w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30194-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30194-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id a640c23a62f3a-a6f5904e808si69264266b.495.2024.06.13.08.10.58 for ; Thu, 13 Jun 2024 08:10:58 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30194-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30194-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30194-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 7328 invoked by uid 550); 13 Jun 2024 15:10:40 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 28344 invoked from network); 13 Jun 2024 15:05:19 -0000 Authentication-Results: apache.org; auth=none Content-Type: text/plain; charset=utf-8 From: Jarek Potiuk To: oss-security@lists.openwall.com Message-ID: <29c57c8f-9adb-42bc-da5b-998269a688e9@apache.org> Content-Transfer-Encoding: quoted-printable Date: Thu, 13 Jun 2024 15:05:09 +0000 MIME-Version: 1.0 Subject: [oss-security] CVE-2024-25142: Apache Airflow: Cache Control - Storage of Sensitive Data in Browser Cache Severity: low Affected versions: - Apache Airflow before 2.9.2 Description: Use of Web Browser Cache Containing Sensitive Information vulnerability in = Apache Airflow.=C2=A0 Airflow did not return "Cache-Control" header for dynamic content, which in= case of some browsers could result in potentially storing sensitive data = in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue. Credit: Jens Scheffler (reporter) References: https://github.com/apache/airflow/pull/39550 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=3DCVE-2024-25142