CVE-2018-17215

{"id": "CVE-2018-17215", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2018-09-26T21:29:01.853", "references": [{"url": "https://seclists.org/bugtraq/2018/Sep/56", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.txt", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials)."}, {"lang": "es", "value": "Se ha descubierto un problema de divulgaci\u00f3n de informaci\u00f3n en Postman hasta su versi\u00f3n 6.3.0. Valida el certificado X.509 de un servidor y presenta un error si el certificado no es v\u00e1lido. Desafortunadamente, los datos de la petici\u00f3n HTTPS asociados se env\u00edan igualmente. Lo \u00fanico que no se muestra es la respuesta. Por lo tanto, toda la informaci\u00f3n contenida en la petici\u00f3n HTTPS se divulga a un atacante Man-in-the-Middle (MitM) (por ejemplo, las credenciales de usuario)."}], "lastModified": "2024-02-01T19:55:49.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F35E874F-A0C2-49FD-846E-6F4D03BF50E8", "versionEndIncluding": "6.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}