CVE-2018-17215

An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials).
References
Link Resource
https://seclists.org/bugtraq/2018/Sep/56 Exploit Mailing List Third Party Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.txt Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:*

History

01 Feb 2024, 19:55

Type Values Removed Values Added
CPE cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:*
CPE cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:*
CPE cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:*
CPE cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:*
CPE cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:*

Information

Published : 2018-09-26 21:29

Updated : 2024-02-01 19:55


NVD link : CVE-2018-17215

Mitre link : CVE-2018-17215

CVE.ORG link : CVE-2018-17215


JSON object : View

Products Affected

postman

  • postman
CWE
CWE-295

Improper Certificate Validation