Login Sign Up

CVE-2022-24900

9.9 CRITICAL
Path Traversal

📋 TL;DR

CVE-2022-24900 is a critical path traversal vulnerability in Piano LED Visualizer software versions 1.3 and earlier. It allows attackers to read arbitrary files on the system by exploiting unsafe path handling in Flask's send_file function. Users running Piano LED Visualizer with untrusted input are affected.

💻 Affected Systems

Products:
  • Piano LED Visualizer
Versions: Version 1.3 and earlier
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All installations using the vulnerable web interface component are affected. The vulnerability exists in the Flask web interface when processing file requests.

📦 What is this software?

Piano Led Visualizer by Piano Led Visualizer Project

View all CVEs affecting Piano Led Visualizer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via reading sensitive files like SSH keys, configuration files, or password databases, potentially leading to lateral movement or data exfiltration.

🟠

Likely Case

Unauthorized access to application files, configuration data, or other sensitive information stored on the server where Piano LED Visualizer is running.

🟢

If Mitigated

No impact if proper input validation and safe path joining methods are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is in a web interface component and can be exploited remotely without authentication.
🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through other attack vectors, but requires network access to the service.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - attackers can craft malicious absolute paths to bypass directory restrictions. Public proof-of-concept exists in the GitHub advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Master branch commit 3f10602323cd8184e1c69a76b815655597bf0ee5 and later

Vendor Advisory: https://github.com/onlaj/Piano-LED-Visualizer/security/advisories/GHSA-g78x-q3x8-r6m4

Restart Required: Yes

Instructions:

1. Update to the latest version from the master branch on GitHub. 2. Replace vulnerable os.path.join calls with flask.safe_join. 3. Restart the Piano LED Visualizer service.

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement strict input validation to reject absolute paths and path traversal sequences before they reach the vulnerable function.

# Add input validation in the Flask route handler
# Example Python code:
import os
from flask import abort

# Validate path parameter
if os.path.isabs(user_input) or '..' in user_input:
    abort(400, 'Invalid path specified')

Network Restriction

all

Restrict network access to the Piano LED Visualizer web interface to trusted networks only.

# Linux firewall example
sudo iptables -A INPUT -p tcp --dport [PIANO_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
sudo iptables -A INPUT -p tcp --dport [PIANO_PORT] -j DROP
# Windows firewall example
New-NetFirewallRule -DisplayName "Block Piano LED Visualizer" -Direction Inbound -LocalPort [PIANO_PORT] -Protocol TCP -Action Block

🧯 If You Can't Patch

  • Disable the web interface component entirely if not required for functionality
  • Run Piano LED Visualizer in a restricted container or sandbox with minimal file system access

🔍 How to Verify

Check if Vulnerable:

Check if running version 1.3 or earlier by examining the software version in the application interface or configuration files.

Check Version:

# Check version in Python
import piano_led_visualizer
print(piano_led_visualizer.__version__)

Verify Fix Applied:

Verify that os.path.join calls with user input have been replaced with flask.safe_join or that send_from_directory is used instead of send_file in the codebase.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns in application logs
  • HTTP requests containing absolute paths or '../' sequences
  • Failed file access attempts outside expected directories

Network Indicators:

  • HTTP requests with path traversal payloads to the Piano LED Visualizer endpoint
  • Unusual outbound file transfers from the Piano LED Visualizer host

SIEM Query:

source="piano_led_visualizer.log" AND (path="*..*" OR path="*/etc/*" OR path="*/root/*" OR path="*/windows/*")

📊 Metadata

CVE ID: CVE-2022-24900
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
CWE: CWE-22
Published: April 29, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24900, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)