Published: 26/09/2018 Updated: 21/11/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

An information-disclosure issue exists in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials).

Vulnerability Trend

Affected Products

Vendor Product Versions

Mailing Lists

Postman versions 630 and below suffer from a man-in-the-middle vulnerability due to improper certificate validation ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2018-016 Product: Postman (standalone) Manufacturer: Postman Affected Version(s): 630 and older Tested Version(s): 622 x64 (Windows and Linux), 630 Vulnerability Type: Improper Certificate Validation (CWE-295) Risk Level: Medium Solution Status: Open Manufacturer Notification ...