Vulnerability Description
An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Postman | Postman | <= 6.3.0 |
Related Weaknesses (CWE)
References
- https://seclists.org/bugtraq/2018/Sep/56ExploitMailing ListThird Party Advisory
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.tExploitThird Party Advisory
- https://seclists.org/bugtraq/2018/Sep/56ExploitMailing ListThird Party Advisory
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.tExploitThird Party Advisory
FAQ
What is CVE-2018-17215?
CVE-2018-17215 is a vulnerability with a CVSS score of 8.1 (HIGH). An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated ...
How severe is CVE-2018-17215?
CVE-2018-17215 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-17215?
Check the references section above for vendor advisories and patch information. Affected products include: Postman Postman.