Cyber Resilience

CVE-2022-24900

CriticalPublic PoC

Published: 29 April 2022

Published
29 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
EPSS Score 0.7329 98.8th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24900 is a critical-severity Path Traversal (CWE-22) vulnerability in Piano Led Visualizer Project Piano Led Visualizer. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Piano LED Visualizer versions 1.3 and earlier contain a path traversal vulnerability in the web interface component that handles file serving. The root cause is unsafe handling of untrusted input via os.path.join before passing the result to flask.send_file; because os.path.join discards prior path elements when it encounters an absolute path, an attacker-supplied absolute path bypasses the intended static directory restriction entirely. The issue is tracked under CWE-22, CWE-73, and CWE-668 and carries a CVSS 3.1 score of 9.9.

An unauthenticated remote attacker can supply a crafted path in an API request to read or write arbitrary files on the host, achieving high-impact confidentiality exposure with limited integrity and availability effects and a changed security scope. Exploitation requires only network access and no user interaction or credentials.

The project’s GitHub security advisory and associated pull request describe two mitigations: applying the fix present on the master branch or refactoring the code to avoid passing untrusted data to send_file, either by using flask.safe_join for path construction or by switching to flask.send_from_directory.

EPSS for the CVE rose from a low baseline after disclosure to a peak of 0.8917 before receding to the current value of 0.7329, indicating sustained post-publication exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use…

more

with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the "malicious" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

piano led visualizer project
piano led visualizer
≤ 1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22 CWE-73

Validates pathnames and filenames to prevent traversal outside intended directories.

addresses: CWE-668

Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use.

addresses: CWE-668

The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations.

addresses: CWE-668

The control ensures information resources are not exposed to the incorrect (public) sphere through review and authorization.

addresses: CWE-668

Protects against data mining that would expose resources to unauthorized spheres by enforcing detection and controls.

addresses: CWE-668

Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres.

addresses: CWE-668

Controlling internal connections prevents exposure of resources to unintended internal spheres.

addresses: CWE-668

Knowing exact processing and storage locations helps avoid exposure of resources to incorrect spheres.

References