CVE-2024-26477
Information Disclosure in Statping-ng API via Crafted Requests
Publication date: 2026-02-11
Last updated on: 2026-02-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| statping-ng | statping-ng | 0.91.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Statping-ng version 0.91.0 and allows an attacker to obtain sensitive information by sending a specially crafted request to the api parameter of the oauth, amazon_sns, and export endpoints.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain access to sensitive information from the affected endpoints, potentially leading to unauthorized data exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves crafted requests to the api parameter of the oauth, amazon_sns, and export endpoints in Statping-ng v0.91.0. Detection can be approached by monitoring and analyzing HTTP requests targeting these specific API endpoints for unusual or malformed parameters.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and inspect network traffic or server logs for suspicious requests to these endpoints. For example, using command-line tools like curl to simulate crafted requests or using network monitoring tools such as tcpdump or Wireshark to capture traffic.'}, {'type': 'list_item', 'content': "Use curl to test the API endpoints with crafted parameters, e.g.: curl -v 'http://<target>/api/oauth?api=<crafted_payload>'"}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic on the server: tcpdump -i <interface> -A 'tcp port 80 or 443'"}, {'type': 'list_item', 'content': 'Review Statping-ng server logs for unusual access patterns or errors related to the oauth, amazon_sns, or export API endpoints.'}] [2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoints and applying any available patches or updates from the vendor.
Since the vulnerability allows sensitive information disclosure via crafted requests, it is critical to limit API access to trusted users and networks only.
- Implement network-level access controls such as firewalls or IP whitelisting to restrict access to the API endpoints.
- Disable or restrict the oauth, amazon_sns, and export API endpoints if they are not required.
- Monitor logs and network traffic for suspicious activity targeting these endpoints.
- Apply patches or updates from the Statping-ng project once they are released addressing this vulnerability.