An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials).
References
Link | Resource |
---|---|
https://seclists.org/bugtraq/2018/Sep/56 | Exploit Mailing List Third Party Advisory |
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.txt | Exploit Third Party Advisory |
https://seclists.org/bugtraq/2018/Sep/56 | Exploit Mailing List Third Party Advisory |
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.txt | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 03:54
Type | Values Removed | Values Added |
---|---|---|
References | () https://seclists.org/bugtraq/2018/Sep/56 - Exploit, Mailing List, Third Party Advisory | |
References | () https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.txt - Exploit, Third Party Advisory |
01 Feb 2024, 19:55
Type | Values Removed | Values Added |
---|---|---|
First Time |
Postman postman
Postman |
|
CPE | cpe:2.3:a:postman:postman:*:*:*:*:*:*:*:* |
Information
Published : 2018-09-26 21:29
Updated : 2024-11-21 03:54
NVD link : CVE-2018-17215
Mitre link : CVE-2018-17215
CVE.ORG link : CVE-2018-17215
JSON object : View
Products Affected
postman
- postman
CWE
CWE-295
Improper Certificate Validation