GSD-2022-21718
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-21718",
"description": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.",
"id": "GSD-2022-21718"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-21718"
],
"details": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.",
"id": "GSD-2022-21718",
"modified": "2023-12-13T01:19:14.069780Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21718",
"STATE": "PUBLIC",
"TITLE": "Renderers can obtain access to random bluetooth device without permission in Electron"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "electron",
"version": {
"version_data": [
{
"version_value": "\u003c 13.6.6"
},
{
"version_value": "\u003e= 14.0.0-beta.1, \u003c 14.2.4"
},
{
"version_value": "\u003e= 15.0.0-beta.1, \u003c 15.3.5"
},
{
"version_value": "\u003e= 16.0.0-beta.1, \u003c 16.0.6"
},
{
"version_value": "\u003e= 17.0.0-alpha.1, \u003c= 17.0.0-alpha.5"
}
]
}
}
]
},
"vendor_name": "electron"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-668: Exposure of Resource to Wrong Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749",
"refsource": "CONFIRM",
"url": "https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749"
},
{
"name": "https://github.com/electron/electron/pull/32178",
"refsource": "MISC",
"url": "https://github.com/electron/electron/pull/32178"
},
{
"name": "https://github.com/electron/electron/pull/32240",
"refsource": "MISC",
"url": "https://github.com/electron/electron/pull/32240"
}
]
},
"source": {
"advisory": "GHSA-3p22-ghq8-v749",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c13.6.6||\u003e=14.0.0 \u003c14.2.4||\u003e=15.0.0 \u003c15.3.5||\u003e=16.0.0 \u003c16.0.6||=17.0.0",
"affected_versions": "All versions before 13.6.6, all versions starting from 14.0.0 before 14.2.4, all versions starting from 15.0.0 before 15.3.5, all versions starting from 16.0.0 before 16.0.6, version 17.0.0",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-862",
"CWE-937"
],
"date": "2023-07-24",
"description": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.",
"fixed_versions": [
"13.6.6",
"14.2.4",
"15.3.5",
"16.0.6",
"17.0.1"
],
"identifier": "CVE-2022-21718",
"identifiers": [
"CVE-2022-21718",
"GHSA-3p22-ghq8-v749"
],
"not_impacted": "All versions starting from 13.6.6 before 14.0.0, all versions starting from 14.2.4 before 15.0.0, all versions starting from 15.3.5 before 16.0.0, all versions starting from 16.0.6 before 17.0.0, all versions after 17.0.0",
"package_slug": "npm/electron",
"pubdate": "2022-03-22",
"solution": "Upgrade to versions 13.6.6, 14.2.4, 15.3.5, 16.0.6, 17.0.1 or above.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749",
"https://nvd.nist.gov/vuln/detail/CVE-2022-21718",
"https://github.com/electron/electron/pull/32178",
"https://github.com/electron/electron/pull/32240",
"https://github.com/advisories/GHSA-3p22-ghq8-v749"
],
"uuid": "b2bf8992-ce5e-418f-9ec6-81bc2ddc3086"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "13.6.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "16.0.6",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "15.3.5",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "14.2.4",
"versionStartIncluding": "14.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:electronjs:electron:17.0.0:alpha1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:electronjs:electron:17.0.0:alpha2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:electronjs:electron:17.0.0:alpha3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:electronjs:electron:17.0.0:alpha4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:electronjs:electron:17.0.0:alpha5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21718"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/electron/electron/pull/32178",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/electron/electron/pull/32178"
},
{
"name": "https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749",
"refsource": "CONFIRM",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749"
},
{
"name": "https://github.com/electron/electron/pull/32240",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/electron/electron/pull/32240"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4
}
},
"lastModifiedDate": "2023-07-24T13:46Z",
"publishedDate": "2022-03-22T17:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…