CVE-2022-21718 (Medium) detected in electron-1.8.8.tgz - autoclosed

[mend-for-github-com[bot]]

CVE-2022-21718 - Medium Severity Vulnerability

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Dependency Hierarchy: - :x: **electron-1.8.8.tgz** (Vulnerable Library)

Found in HEAD commit: 8d1e24260d1985acc52e5d1710bcc43fcf3848ca

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

Publish Date: 2022-03-22

URL: CVE-2022-21718

CVSS 3 Score Details (5.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21718

Release Date: 2022-03-22

Fix Resolution: 13.6.6

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.