GHSA-3p22-ghq8-v749

Source

https://github.com/advisories/GHSA-3p22-ghq8-v749

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-3p22-ghq8-v749/GHSA-3p22-ghq8-v749.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3p22-ghq8-v749

Aliases

CVE-2022-21718

Related

CVE-2022-21718

Published

2022-03-22T18:49:36Z

Modified

2023-11-08T04:08:09.293794Z

Severity

3.4 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Renderers can obtain access to random bluetooth device without permission in Electron

Details

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix: * 17.0.0-alpha.6 * 16.0.6 * 15.3.5 * 14.2.4 * 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information If you have any questions or comments about this advisory, email us at security@electronjs.org.

Database specific

{
    "nvd_published_at": "2022-03-22T17:15:00Z",
    "cwe_ids": [
        "CWE-668",
        "CWE-862"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-22T18:49:36Z"
}

References

Affected packages

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

13.6.6

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

14.0.0-beta.1

Fixed

14.2.4

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

15.0.0-beta.1

Fixed

15.3.5

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

16.0.0-beta.1

Fixed

16.0.6

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

17.0.0-alpha.1

Fixed

17.0.0-alpha.6

Database specific

{
    "last_known_affected_version_range": "<= 17.0.0-alpha.5"
}