CVE-2022-21718

EUVD-2022-1290
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.4 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
GitHub_MCNA
3.4 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
electronjselectron
𝑥
< 13.6.6
electronjselectron
14.0.0 ≤
𝑥
< 14.2.4
electronjselectron
15.0.0 ≤
𝑥
< 15.3.5
electronjselectron
16.0.0 ≤
𝑥
< 16.0.6
electronjselectron
17.0.0:alpha1
electronjselectron
17.0.0:alpha2
electronjselectron
17.0.0:alpha3
electronjselectron
17.0.0:alpha4
electronjselectron
17.0.0:alpha5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/electron/electron/pull/32178
https://github.com/electron/electron/pull/32240
https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749
https://github.com/electron/electron/pull/32178
https://github.com/electron/electron/pull/32240
https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749