x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-25142

[GoVulnBot]

CVE-2024-25142 references github.com/apache/airflow, which may be a Go module.

Description:
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-25142
• JSON: https://github.com/CVEProject/cvelist/tree/5726aae118f2ff933e5d207f8be6d0ca2b150c67/2024/25xxx/CVE-2024-25142.json
• advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-25142
• fix: Add Cache-Control "no-store" to all dynamically generated content apache/airflow#39550
• web: https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
• Imported by: https://pkg.go.dev/github.com/apache/airflow?tab=importedby

Cross references:

• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-50943 #2473 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-50944 #2474 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-51702 #2475 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-25141 #2570 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-27906 #2586 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-26280 #2596 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-28746 #2680 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-29735 #2681 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-31869 #2733 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-29733 #2742 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-46288 #2805 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-32077 #2835 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/airflow
      vulnerable_at: 1.8.2
      packages:
        - package: Apache Airflow
summary: CVE-2024-25142 in github.com/apache/airflow
cves:
    - CVE-2024-25142
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-25142
    - fix: https://github.com/apache/airflow/pull/39550
    - web: https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
source:
    id: CVE-2024-25142
    created: 2024-06-14T10:01:10.811206351Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/592765 mentions this issue: data/excluded,data/reports: add 10 reports