Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-3P22-GHQ8-V749
HistoryMar 22, 2022 - 6:49 p.m.

Renderers can obtain access to random bluetooth device without permission in Electron

2022-03-2218:49:36
CWE-668
CWE-862
GitHub Advisory Database
github.com
122
electron
vulnerability
bluetooth
web api
access
patches
workarounds
security advisory

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

EPSS

0.001

Percentile

50.0%

JSON

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

  • 17.0.0-alpha.6
  • 16.0.6
  • 15.3.5
  • 14.2.4
  • 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at [email protected].

Affected configurations

Vulners
Node
electronelectronRange17.0.0-alpha.5
OR
electronelectronRange<16.0.6
OR
electronelectronRange<15.3.5
OR
electronelectronRange<14.2.4
OR
electronelectronRange<13.6.6

Related

osv 2
prion 1
hackerone 1
cve 1
veracode 1
nvd 1
cvelist 1
osv
osv
Renderers can obtain access to random bluetooth device without permission in Electron
2022-03-22 18:49:36
CVE-2022-21718
2022-03-22 17:15:07
prion
prion
Design/Logic Flaw
2022-03-22 17:15:00
hackerone
hackerone
Internet Bug Bounty: Renderers can obtain access to random bluetooth device without permission
2022-03-22 18:27:19
cve
cve
CVE-2022-21718
2022-03-22 17:15:07
veracode
veracode
Privilege Escalation
2022-03-23 04:19:01
nvd
nvd
CVE-2022-21718
2022-03-22 17:15:07
cvelist
cvelist
CVE-2022-21718 Renderers can obtain access to random bluetooth device without permission in Electron
2022-03-22 16:25:12

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

EPSS

0.001

Percentile

50.0%

JSON
Related for GHSA-3P22-GHQ8-V749
osv2prion1hackerone1cve1veracode1nvd1cvelist1