CVE-2022-21718

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.
References
Link Resource
https://github.com/electron/electron/pull/32178 Issue Tracking Patch Third Party Advisory
https://github.com/electron/electron/pull/32240 Issue Tracking Patch Third Party Advisory
https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749 Mitigation Third Party Advisory
https://github.com/electron/electron/pull/32178 Issue Tracking Patch Third Party Advisory
https://github.com/electron/electron/pull/32240 Issue Tracking Patch Third Party Advisory
https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749 Mitigation Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:17.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:17.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:17.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:17.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:17.0.0:alpha5:*:*:*:*:*:*

History

21 Nov 2024, 06:45

Type Values Removed Values Added
References () https://github.com/electron/electron/pull/32178 - Issue Tracking, Patch, Third Party Advisory () https://github.com/electron/electron/pull/32178 - Issue Tracking, Patch, Third Party Advisory
References () https://github.com/electron/electron/pull/32240 - Issue Tracking, Patch, Third Party Advisory () https://github.com/electron/electron/pull/32240 - Issue Tracking, Patch, Third Party Advisory
References () https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749 - Mitigation, Third Party Advisory () https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749 - Mitigation, Third Party Advisory
CVSS v2 : 4.0
v3 : 5.0
v2 : 4.0
v3 : 3.4

24 Jul 2023, 13:46

Type Values Removed Values Added
CWE CWE-668 CWE-862

Information

Published : 2022-03-22 17:15

Updated : 2024-11-21 06:45


NVD link : CVE-2022-21718

Mitre link : CVE-2022-21718

CVE.ORG link : CVE-2022-21718


JSON object : View

Products Affected

electronjs

  • electron
CWE
CWE-668

Exposure of Resource to Wrong Sphere

CWE-862

Missing Authorization