Lucene search
GoogleOSV:GHSA-3P22-GHQ8-V749HistoryMar 22, 2022 - 6:49 p.m.
Renderers can obtain access to random bluetooth device without permission in Electron
2022-03-2218:49:36
Google
osv.dev
24
electron
vulnerability
bluetooth
access
patch
web api
EPSS
0.001
Percentile
50.0%
Impact
This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.
All current stable versions of Electron are affected.
Patches
This has been patched and the following Electron versions contain the fix:
17.0.0-alpha.616.0.615.3.514.2.413.6.6
Workarounds
Adding this code to your app can workaround the issue.
app.on('web-contents-created', (event, webContents) => {
webContents.on('select-bluetooth-device', (event, devices, callback) => {
// Prevent default behavior
event.preventDefault();
// Cancel the request
callback('');
});
});
For more information
If you have any questions or comments about this advisory, email us at [email protected].
Related
prion
prion
Design/Logic Flaw
2022-03-22 17:15:00
hackerone
hackerone
github
github
cve
cve
CVE-2022-21718
2022-03-22 17:15:07
veracode
veracode
Privilege Escalation
2022-03-23 04:19:01
nvd
nvd
CVE-2022-21718
2022-03-22 17:15:07
osv
osv
CVE-2022-21718
2022-03-22 17:15:07
cvelist
cvelist