CVE-2022-21718
Web Bluetooth API vulnerability in electron (npm)
What is CVE-2022-21718 About?
This vulnerability in Electron allows renderers to obtain unauthorized access to a random Bluetooth device through the Web Bluetooth API. This could lead to information disclosure or unintended device interactions. Exploitation requires specific application configurations but is considered moderately easy once those conditions are met.
Affected Software
- electron
- >16.0.0-beta.1, <16.0.6
- >14.0.0-beta.1, <14.2.4
- >17.0.0-alpha.1, <17.0.0-alpha.6
- >15.0.0-beta.1, <15.3.5
- <13.6.6
Technical Details
The vulnerability arises when an Electron application, which uses the Web Bluetooth API, does not implement a custom 'select-bluetooth-device' event handler. In such a scenario, a compromised renderer process can bypass the intended security model and gain access to a randomly selected Bluetooth device. The select-bluetooth-device event is designed to allow applications to control device selection. Without an explicit handler that prevents or filters this selection, the renderer can essentially "trick" the system into granting access to an arbitrary, available Bluetooth device without user interaction or proper application control. This mechanism does not allow the attacker to choose a specific device, but nevertheless grants unauthorized access to a random one.
What is the Impact of CVE-2022-21718?
Successful exploitation may allow attackers to gain unauthorized access to random Bluetooth devices, leading to potential information leakage, device manipulation, or privacy violation depending on the connected device's capabilities.
What is the Exploitability of CVE-2022-21718?
Exploitation complexity is moderate, primarily requiring the attacker to create conditions where the Electron application's 'select-bluetooth-device' event handler is not properly configured (i.e., not present or not preventing default behavior). No authentication is directly required for the vulnerability itself, beyond the renderer's initial compromise. Privilege requirements are at the level of the renderer process. Exploitation is local to the compromised renderer environment, but the impact extends to connected Bluetooth devices. A key constraint is that the attacker cannot select a specific Bluetooth device; access is granted to a random one. The likelihood of exploitation is increased if applications frequently omit custom event handlers for Bluetooth device selection, making default behavior exploitable.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21718?
Available Upgrade Options
- electron
- <13.6.6 → Upgrade to 13.6.6
- electron
- >14.0.0-beta.1, <14.2.4 → Upgrade to 14.2.4
- electron
- >15.0.0-beta.1, <15.3.5 → Upgrade to 15.3.5
- electron
- >16.0.0-beta.1, <16.0.6 → Upgrade to 16.0.6
- electron
- >17.0.0-alpha.1, <17.0.0-alpha.6 → Upgrade to 17.0.0-alpha.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-21718
- https://github.com/electron/electron/pull/32240
- https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749
- https://osv.dev/vulnerability/GHSA-3p22-ghq8-v749
- https://github.com/electron/electron/pull/32178
- https://github.com/electron/electron
- https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749
- https://github.com/electron/electron/pull/32240
- https://github.com/electron/electron/pull/32178
What are Similar Vulnerabilities to CVE-2022-21718?
Similar Vulnerabilities: CVE-2021-30538 , CVE-2020-15967 , CVE-2020-16013 , CVE-2020-6507 , CVE-2020-6508
