{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42768?format=json","vulnerability_id":"VCID-r9kq-n5sk-zqba","summary":"Exposure of Resource to Wrong Sphere\nElectron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.","aliases":[{"alias":"CVE-2022-21718"},{"alias":"GHSA-3p22-ghq8-v749"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61070?format=json","purl":"pkg:npm/electron@13.6.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@13.6.6"},{"url":"http://public2.vulnerablecode.io/api/packages/61071?format=json","purl":"pkg:npm/electron@14.2.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@14.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/61072?format=json","purl":"pkg:npm/electron@15.3.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@15.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/61073?format=json","purl":"pkg:npm/electron@16.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@16.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/148408?format=json","purl":"pkg:npm/electron@17.0.0-alpha.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@17.0.0-alpha.6"},{"url":"http://public2.vulnerablecode.io/api/packages/61074?format=json","purl":"pkg:npm/electron@17.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@17.0.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59276?format=json","purl":"pkg:npm/electron@14.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j3za-9wj7-vkd7"},{"vulnerability":"VCID-r9kq-n5sk-zqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@14.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/59277?format=json","purl":"pkg:npm/electron@15.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j3za-9wj7-vkd7"},{"vulnerability":"VCID-r9kq-n5sk-zqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@15.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/61068?format=json","purl":"pkg:npm/electron@16.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-r9kq-n5sk-zqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@16.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/61069?format=json","purl":"pkg:npm/electron@17.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-r9kq-n5sk-zqba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/electron@17.0.0"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21718","reference_id":"","reference_type":"","scores":[{"value":"0.00848","scoring_system":"epss","scoring_elements":"0.75217","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21718"},{"reference_url":"https://github.com/electron/electron","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/electron/electron"},{"reference_url":"https://github.com/electron/electron/pull/32178","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/electron/electron/pull/32178"},{"reference_url":"https://github.com/electron/electron/pull/32240","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/electron/electron/pull/32240"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21718","reference_id":"CVE-2022-21718","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21718"},{"reference_url":"https://github.com/advisories/GHSA-3p22-ghq8-v749","reference_id":"GHSA-3p22-ghq8-v749","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3p22-ghq8-v749"},{"reference_url":"https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749","reference_id":"GHSA-3p22-ghq8-v749","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":862,"name":"Missing Authorization","description":"The product does not perform an authorization check when an actor attempts to access a resource or perform an action."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":668,"name":"Exposure of Resource to Wrong Sphere","description":"The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource."}],"exploits":[],"severity_range_score":"0.1 - 3.4","exploitability":"0.5","weighted_severity":"3.1","risk_score":1.6,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r9kq-n5sk-zqba"}