CVE-2022-21718
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/03/2022
Last modified:
24/07/2023
Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.
Impact
Base Score 3.x
5.00
Severity 3.x
MEDIUM
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:* | 13.6.6 (excluding) | |
| cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:* | 14.0.0 (including) | 14.2.4 (excluding) |
| cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:* | 15.0.0 (including) | 15.3.5 (excluding) |
| cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:* | 16.0.0 (including) | 16.0.6 (excluding) |
| cpe:2.3:a:electronjs:electron:17.0.0:alpha1:*:*:*:*:*:* | ||
| cpe:2.3:a:electronjs:electron:17.0.0:alpha2:*:*:*:*:*:* | ||
| cpe:2.3:a:electronjs:electron:17.0.0:alpha3:*:*:*:*:*:* | ||
| cpe:2.3:a:electronjs:electron:17.0.0:alpha4:*:*:*:*:*:* | ||
| cpe:2.3:a:electronjs:electron:17.0.0:alpha5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page