CVE-2018-17215

An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials).
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:54

Type Values Removed Values Added
References () https://seclists.org/bugtraq/2018/Sep/56 - Exploit, Mailing List, Third Party Advisory () https://seclists.org/bugtraq/2018/Sep/56 - Exploit, Mailing List, Third Party Advisory
References () https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.txt - Exploit, Third Party Advisory () https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.txt - Exploit, Third Party Advisory

01 Feb 2024, 19:55

Type Values Removed Values Added
First Time Postman postman
Postman
CPE cpe:2.3:a:getpostman:postman:*:*:*:*:*:*:*:* cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:*

Information

Published : 2018-09-26 21:29

Updated : 2024-11-21 03:54


NVD link : CVE-2018-17215

Mitre link : CVE-2018-17215

CVE.ORG link : CVE-2018-17215


JSON object : View

Products Affected

postman

  • postman
CWE
CWE-295

Improper Certificate Validation