CVE-2018-17215
First published: Wed Sep 26 2018(Updated: )
An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Postman | <=6.3.0 | |
| antsle Antman | <=6.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-17215?
The severity of CVE-2018-17215 is classified as moderate due to the potential information exposure.
How do I fix CVE-2018-17215?
To fix CVE-2018-17215, update Postman to a version later than 6.3.0 where this issue is resolved.
What software is affected by CVE-2018-17215?
CVE-2018-17215 affects Postman versions up to and including 6.3.0.
What type of vulnerability is CVE-2018-17215?
CVE-2018-17215 is categorized as an information-disclosure vulnerability.
Can CVE-2018-17215 lead to data leaks?
Yes, CVE-2018-17215 can potentially lead to data leaks by sending sensitive request data even when a certificate validation failure occurs.
- agent/references
- agent/type
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/getpostman
- canonical/postman
- version/postman/6.3.0
- vendor/postman
- canonical/antsle antman
- version/antsle antman/6.3.0