cbcvebase.
CVE-2022-24900
published 2022-04-29

CVE-2022-24900: Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to…

PriorityP262high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
8.04%
94.1th percentile
Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the "malicious" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.

Affected

2 ranges
VendorProductVersion rangeFixed in
onlajpiano-led-visualizer<= 1.3
piano_led_visualizer_projectpiano_led_visualizer<= 1.3

Detection & IOCsextracted from sources · hover to see the quote

url/api/change_setting?second_value=no_reload&disable_sequence=true&value=../../../../../../../etc/passwd
path../../../../../../../etc/passwd
  • Monitor GET requests to /api/change_setting endpoint containing path traversal sequences (e.g., '../') in the 'value' parameter, which is passed unsafely to os.path.join and then to flask.send_file.
  • Alert on HTTP 200 responses to /api/change_setting requests where the response body matches Unix passwd file patterns (root:.*:0:0:), indicating successful local file inclusion.
  • Flag requests where the 'value' parameter in /api/change_setting contains an absolute path (starting with '/'), as os.path.join will discard the static directory prefix and serve arbitrary files.
  • ·The vulnerability affects Piano LED Visualizer version 1.3 and prior only. Patched versions (post-commit 3f10602323cd8184e1c69a76b815655597bf0ee5 on master) are not affected.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.