CVE-2018-17215
HIGHPostman < 6.3.0 - Information Disclosure via Improper Certificate Validation
Title source: llmDescription
An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials).
References (2)
Core 2
Core References
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2018/Sep/56
Exploit, Third Party Advisory x_refsource_misc
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.txt
Scores
CVSS v3
8.1
EPSS
0.0064
EPSS Percentile
45.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-295
Status
published
Products (1)
postman/postman
< 6.3.0
Published
Sep 26, 2018
Tracked Since
Feb 18, 2026