// For flags

CVE-2018-17215

Postman 6.3.0 Improper Certificate Validation

Severity Score

8.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials).

Se ha descubierto un problema de divulgación de información en Postman hasta su versión 6.3.0. Valida el certificado X.509 de un servidor y presenta un error si el certificado no es válido. Desafortunadamente, los datos de la petición HTTPS asociados se envían igualmente. Lo único que no se muestra es la respuesta. Por lo tanto, toda la información contenida en la petición HTTPS se divulga a un atacante Man-in-the-Middle (MitM) (por ejemplo, las credenciales de usuario).

Postman versions 6.3.0 and below suffer from a man-in-the-middle vulnerability due to improper certificate validation.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-09-19 CVE Reserved
  • 2018-09-25 CVE Published
  • 2024-02-17 EPSS Updated
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-295: Improper Certificate Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Postman
Search vendor "Postman"
Postman
Search vendor "Postman" for product "Postman"
<= 6.3.0
Search vendor "Postman" for product "Postman" and version " <= 6.3.0"
-
Affected