Описание
Renderers can obtain access to random bluetooth device without permission in Electron
Impact
This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.
All current stable versions of Electron are affected.
Patches
This has been patched and the following Electron versions contain the fix:
17.0.0-alpha.616.0.615.3.514.2.413.6.6
Workarounds
Adding this code to your app can workaround the issue.
For more information If you have any questions or comments about this advisory, email us at security@electronjs.org.
Пакеты
electron
< 13.6.6
13.6.6
electron
>= 14.0.0-beta.1, < 14.2.4
14.2.4
electron
>= 15.0.0-beta.1, < 15.3.5
15.3.5
electron
>= 16.0.0-beta.1, < 16.0.6
16.0.6
electron
>= 17.0.0-alpha.1, <= 17.0.0-alpha.5
17.0.0-alpha.6
Связанные уязвимости
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.
Electron is a framework for writing cross-platform desktop application ...