Renderers can obtain access to random bluetooth device without permission in Electron

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

17.0.0-alpha.6
16.0.6
15.3.5
14.2.4
13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.

References

MarshallOfSound published to electron/electron Mar 21, 2022

Published by the National Vulnerability Database Mar 22, 2022

Published to the GitHub Advisory Database Mar 22, 2022

Reviewed Mar 22, 2022

Last updated Jul 24, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits