How severe is CVE-2022-24900?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.6 out of 10.

What type of vulnerability is CVE-2022-24900?

This is classified as CWE-22, which is a common weakness in software security.

CVE-2022-24900

HIGH Year: 2022

CVSS v3 Score

8.6

High

CVSS v2 Score

5.0

Medium

Weakness Type

CWE-22

View all →

Vulnerability Description

Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the "malicious" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.

CVE-2014-9356

HIGH

CVSS:8.6(High)

Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or ...

CWE-222014

CVE-2015-4694

HIGH

CVSS:8.6(High)

Directory traversal vulnerability in download.php in the Zip Attachments plugin before 1.5.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the za_file parameter.

CWE-222015

CVE-2015-4988

HIGH

CVSS:8.6(High)

Directory traversal vulnerability in the replay server in IBM Tealeaf Customer Experience before 8.7.1.8818, 8.8 before 8.8.0.9026, 9.0.0, 9.0.0A, 9.0.1 before 9.0.1.1083, 9.0.1A before 9.0.1.5073, 9....

CWE-222015

CVE-2015-7907

HIGH

CVSS:8.6(High)

Directory traversal vulnerability in the web server on Honeywell Midas gas detectors before 1.13b3 and Midas Black gas detectors before 2.13b3 allows remote attackers to bypass authentication, and wri...

CWE-222015

CVE-2016-1525

HIGH

CVSS:8.6(High)

Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the r...

CWE-222016

CVE-2016-5803

HIGH

CVSS:8.6(High)

An issue was discovered in CA Unified Infrastructure Management Version 8.47 and earlier. The Unified Infrastructure Management software uses external input to construct a pathname that should be with...

CWE-222016

CVE-2022-24900

Vulnerability Description

Related Vulnerabilities

CVE-2014-9356

CVE-2015-4694

CVE-2015-4988

CVE-2015-7907

CVE-2016-1525

CVE-2016-5803