CVE-2022-24900
Description
Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The os.path.join
call is unsafe for use with untrusted input. When the os.path.join
call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the "malicious" parameter represents an absolute path, the result of os.path.join
ignores the static directory completely. Hence, untrusted input is passed via the os.path.join
call to flask.send_file
can lead to path traversal attacks. A patch with a fix is available on the master
branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable send_file
function. In case the application logic necessiates this behaviour, one can either use the flask.safe_join
to join untrusted paths or replace flask.send_file
calls with flask.send_from_directory
calls.
Severity: HIGH
CVE ID: CVE-2022-24900
CVSS Score: 8.6
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Severity: CRITICAL
CVE ID: CVE-2022-24900
CVSS Score: 9.9
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Proof Of Concept
Nuclei Templates for CVE-2022-24900
Refrence: Project Discovery GitHub