CVE-2022-21718 Information

Jun 07, 2022 cve

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6 16.0.6 15.3.5 14.2.4 and 13.6.6 allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. This has been patched and Electron versions 17.0.0-alpha.6 16.0.6 15.3.5 14.2.4 and 13.6.6 contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Reference

https://github.com/electron/electron/pull/32178 https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749 https://github.com/electron/electron/pull/32240

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.0

Share on: