CVE-2022-24900

Name of the Vulnerable Software and Affected Versions Piano LED Visualizer versions 1.3 and prior

Description The issue concerns a path traversal attack. The os.path.join call is unsafe for use with untrusted input, as it ignores all parameters encountered before an absolute path and starts working with the new absolute path. This allows untrusted input to be passed to flask.send file, leading to path traversal attacks. A patch with a fix is available on the master branch of the GitHub repository.

Recommendations For versions 1.3 and prior, update to the patched version available on the master branch of the GitHub repository. As a temporary workaround, consider preventing the flow of untrusted data to the vulnerable send file function. Alternatively, use flask.safe join to join untrusted paths or replace flask.send file calls with flask.send from directory calls to fix the issue.