CVE-2022-21718 Renderers can obtain access to random bluetooth device without permission in Electron

2022-03-2216:25:12

CWE-668

GitHub_M

www.cve.org

electron

vulnerability

bluetooth

CVSS3

3.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

50.0%

JSON

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. This has been patched and Electron versions 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

CNA Affected

[
  {
    "product": "electron",
    "vendor": "electron",
    "versions": [
      {
        "status": "affected",
        "version": "< 13.6.6"
      },
      {
        "status": "affected",
        "version": ">= 14.0.0-beta.1, < 14.2.4"
      },
      {
        "status": "affected",
        "version": ">= 15.0.0-beta.1, < 15.3.5"
      },
      {
        "status": "affected",
        "version": ">= 16.0.0-beta.1, < 16.0.6"
      },
      {
        "status": "affected",
        "version": ">= 17.0.0-alpha.1, <= 17.0.0-alpha.5"
      }
    ]
  }
]