Electron up to 17.0.0-alpha.5 Web Bluetooth API exposure of resource
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 2.8 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as problematic has been discovered in Electron up to 13.6.5/14.2.3/15.3.4/16.0.5/17.0.0-alpha.5. This vulnerability affects unknown code of the component Web Bluetooth API. Executing a manipulation can lead to exposure of resource. This vulnerability is handled as CVE-2022-21718. The attack can be executed remotely. There is not any exploit available. It is advisable to upgrade the affected component.
Details
A vulnerability classified as problematic was found in Electron up to 13.6.5/14.2.3/15.3.4/16.0.5/17.0.0-alpha.5. This vulnerability affects an unknown functionality of the component Web Bluetooth API. The manipulation with an unknown input leads to a exposure of resource vulnerability. The CWE definition for the vulnerability is CWE-668. The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. As an impact it is known to affect confidentiality.
The weakness was released 03/22/2022 as GHSA-3p22-ghq8-v749. The advisory is shared for download at github.com. This vulnerability was named CVE-2022-21718 since 11/16/2021. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.
Upgrading to version 13.6.6, 14.2.4, 15.3.5, 16.0.6 or 17.0.0-alpha.6 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Name
Version
- 13.6.0
- 13.6.1
- 13.6.2
- 13.6.3
- 13.6.4
- 13.6.5
- 14.2.0
- 14.2.1
- 14.2.2
- 14.2.3
- 15.3.0
- 15.3.1
- 15.3.2
- 15.3.3
- 15.3.4
- 16.0.0
- 16.0.1
- 16.0.2
- 16.0.3
- 16.0.4
- 16.0.5
- 17.0.0-alpha.0
- 17.0.0-alpha.1
- 17.0.0-alpha.2
- 17.0.0-alpha.3
- 17.0.0-alpha.4
- 17.0.0-alpha.5
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 2.9VulDB Meta Temp Score: 2.8
VulDB Base Score: 2.4
VulDB Temp Score: 2.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 3.4
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Exposure of resourceCWE: CWE-668 / CWE-200 / CWE-284
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Electron 13.6.6/14.2.4/15.3.5/16.0.6/17.0.0-alpha.6
Patch: github.com
Timeline
11/16/2021 🔍03/22/2022 🔍
03/22/2022 🔍
03/25/2022 🔍
Sources
Product: github.comAdvisory: GHSA-3p22-ghq8-v749
Status: Confirmed
CVE: CVE-2022-21718 (🔍)
GCVE (CVE): GCVE-0-2022-21718
GCVE (VulDB): GCVE-100-195616
Entry
Created: 03/22/2022 19:41Updated: 03/25/2022 08:35
Changes: 03/22/2022 19:41 (49), 03/25/2022 08:35 (1)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.