CVE-2022-24900
Published: 29 April 2022
Summary
CVE-2022-24900 is a critical-severity Path Traversal (CWE-22) vulnerability in Piano Led Visualizer Project Piano Led Visualizer. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Piano LED Visualizer versions 1.3 and earlier contain a path traversal vulnerability in the web interface component that handles file serving. The root cause is unsafe handling of untrusted input via os.path.join before passing the result to flask.send_file; because os.path.join discards prior path elements when it encounters an absolute path, an attacker-supplied absolute path bypasses the intended static directory restriction entirely. The issue is tracked under CWE-22, CWE-73, and CWE-668 and carries a CVSS 3.1 score of 9.9.
An unauthenticated remote attacker can supply a crafted path in an API request to read or write arbitrary files on the host, achieving high-impact confidentiality exposure with limited integrity and availability effects and a changed security scope. Exploitation requires only network access and no user interaction or credentials.
The project’s GitHub security advisory and associated pull request describe two mitigations: applying the fix present on the master branch or refactoring the code to avoid passing untrusted data to send_file, either by using flask.safe_join for path construction or by switching to flask.send_from_directory.
EPSS for the CVE rose from a low baseline after disclosure to a peak of 0.8917 before receding to the current value of 0.7329, indicating sustained post-publication exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29661
Vulnerability details
Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use…
more
with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the "malicious" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use.
The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations.
The control ensures information resources are not exposed to the incorrect (public) sphere through review and authorization.
Protects against data mining that would expose resources to unauthorized spheres by enforcing detection and controls.
Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres.
Controlling internal connections prevents exposure of resources to unintended internal spheres.
Knowing exact processing and storage locations helps avoid exposure of resources to incorrect spheres.