CVE-2018-17215

Name of the Vulnerable Software and Affected Versions Postman versions through 6.3.0

Description An information-disclosure issue was discovered in Postman. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway, with only the response not being displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker, for example, user credentials.

Recommendations For Postman versions through 6.3.0, update to a version later than 6.3.0 to resolve the issue. As a temporary workaround, consider disabling HTTPS requests in Postman until a patch is available. Restrict access to sensitive information when using Postman to minimize the risk of exploitation. Avoid using Postman to send sensitive information over HTTPS until the issue is resolved.