CVE-2022-21718 (Medium) detected in electron-7.2.4.tgz

Question

CVE-2022-21718 (Medium) detected in electron-7.2.4.tgz

Opened this issue a year ago · 0 comments

mend-bolt-for-github commented a year ago

CVE-2022-21718 - Medium Severity Vulnerability

Vulnerable Library - electron-7.2.4.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-7.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

❌ electron-7.2.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. This has been patched and Electron versions 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

Publish Date: 2022-03-22

URL: CVE-2022-21718

CVSS 3 Score Details (5.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21718

Release Date: 2022-03-22

Fix Resolution: 13.6.6

Step up your Open Source Security Game with Mend here