Janschejbal

**Name of the Vulnerable Software and Affected Versions** b2-sdk-python versions 1.14.0 and below **Description** The b2-sdk-python library contains a key disclosure vulnerability that can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. This vulnerability affects users of the SqliteAccountInfo format, while users of the InMemoryAccountInfo format are safe. The SqliteAccountInfo saves API keys and bucket name-to-id mapping in a local database file, which is initially world-readable and later altered to be private to the user. If the directory containing the file is readable by a local attacker, they can exploit the brief period between file creation and permission modification to read the sensitive information. **Recommendations** For b2-sdk-python versions 1.14.0 and below, upgrade to b2-sdk-python 1.14.1 or later. If a local user might have opened a handle using this race condition, remove the affected database files and regenerate all application keys.