Open mend-bolt-for-github[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
CVE-2022-21718 - Low Severity Vulnerability
Vulnerable Library - electron-13.1.9.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-13.1.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy: - :x: **electron-13.1.9.tgz** (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.
Publish Date: 2022-03-22
URL: CVE-2022-21718
CVSS 3 Score Details (3.4)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21718
Release Date: 2022-03-22
Fix Resolution: 13.6.6
Step up your Open Source Security Game with Mend here