CVE-2022-21718

Summary

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. This has been patched and Electron versions 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

Affected Software

VendorProductVersion RangeStatus
electronelectron< 13.6.6affected
electronelectron>= 14.0.0-beta.1, < 14.2.4affected
electronelectron>= 15.0.0-beta.1, < 15.3.5affected
electronelectron>= 16.0.0-beta.1, < 16.0.6affected
electronelectron>= 17.0.0-alpha.1, <= 17.0.0-alpha.5affected

Weaknesses

  • CWE-668: CWE-668: Exposure of Resource to Wrong Sphere

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References