Cyber Resilience

CVE-2022-21718

Low

Published: 22 March 2022

Published
22 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 3.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
EPSS Score 0.0085 75.3th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21718 is a low-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Electronjs Electron. Its CVSS base score is 3.4 (Low).

Operationally, ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API…

more

if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

electronjs
electron
17.0.0 · ≤ 13.6.6 · 14.0.0 — 14.2.4 · 15.0.0 — 15.3.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-862 CWE-668

Mandates authorization checks before permitting access or data processing via external systems.

addresses: CWE-862 CWE-668

The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.

addresses: CWE-668 CWE-862

Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres.

addresses: CWE-862 CWE-668

Requiring explicit authorization for each internal connection prevents missing authorization.

addresses: CWE-668 CWE-862

Asset tracking reveals resources that have inadvertently entered an unintended security sphere, permitting corrective isolation.

addresses: CWE-668 CWE-862

Enforces separation so resources are not placed in a public sphere without explicit protection.

addresses: CWE-668 CWE-862

The control ensures resources are not exposed outside their intended security domain by filtering transfers at the domain boundary.

addresses: CWE-668 CWE-862

Internal resources are kept in separate network spheres from externally accessible components.

References