CVE-2022-24900 is a path traversal vulnerability affecting versions 1.3 and earlier of the Piano-LED-Visualizer software developed by onlaj. This software integrates with a piano connected to a computer to visually represent piano key presses via LED lights. The vulnerability arises from unsafe handling of file paths within the application, specifically in the use of Python's os.path.join function combined with Flask's send_file method. The os.path.join function, when given an absolute path as an argument, disregards preceding path components and uses the absolute path directly. In this case, untrusted user input is passed as an absolute path parameter to os.path.join, which then leads to the Flask send_file function serving files outside the intended directory. This improper limitation of pathname (CWE-22) and external control of file name or path (CWE-73) can allow an attacker to access arbitrary files on the host system by crafting malicious requests that exploit this path traversal. The vulnerability can be mitigated by sanitizing input paths, using Flask's safe_join function to safely join untrusted paths, or replacing send_file calls with send_from_directory to restrict file serving to a specific directory. A patch addressing this issue is available on the master branch of the project's GitHub repository. No known exploits have been reported in the wild to date.

For European organizations using Piano-LED-Visualizer, particularly in educational institutions, music studios, or entertainment venues, this vulnerability could lead to unauthorized disclosure of sensitive files on the host system. Attackers exploiting this flaw could read configuration files, credentials, or other sensitive data stored on the system, potentially facilitating further attacks or data breaches. Although the software's niche use limits the attack surface, compromised systems could be leveraged as footholds within larger networks. The impact on confidentiality is significant, while integrity and availability impacts are lower unless the attacker uses the access to modify files or disrupt services. Given the lack of authentication requirements and the ease of exploitation via crafted requests, the threat poses a moderate risk. However, the absence of known exploits and the specialized nature of the software reduce the likelihood of widespread impact.

European organizations should prioritize updating Piano-LED-Visualizer to the latest version from the master branch where the patch is applied. If immediate updates are not feasible, developers or administrators should modify the application code to replace os.path.join calls with Flask's safe_join function when handling untrusted input paths. Alternatively, replacing send_file calls with send_from_directory ensures files are served only from designated directories, preventing path traversal. Network-level controls such as restricting access to the application via firewalls or VPNs can reduce exposure. Additionally, monitoring logs for unusual file access patterns or requests containing absolute paths can help detect exploitation attempts. Organizations should also conduct code reviews and penetration testing focused on file path handling in custom or third-party applications to proactively identify similar vulnerabilities.