Ooolap

**Name of the Vulnerable Software and Affected Versions** B2 Command Line Tool versions 3.2.0 and below **Description** The B2 Command Line Tool contains a key disclosure vulnerability that can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The tool saves API keys in a local database file (`$XDG CONFIG HOME/b2/account info`, `~/.b2 account info` or a user-defined path) when `b2 authorize-account` is first run. The file is initially world readable and later altered to be private to the user, allowing a local attacker to read the contents during the brief period between file creation and permission modification. **Recommendations** For users who have not yet run `b2 authorize-account`, upgrade to B2 Command-Line Tool v3.2.1 before running it. For users who have run `b2 authorize-account` and the designated path could be opened by another local user, upgrade to B2 Command-Line Tool v3.2.1 and remove the database and regenerate all application keys. If B2 Command-Line Tool cannot be upgraded to v3.2.1 due to a dependency conflict, use a binary release instead, install a new version within a virtualenv, or change the permissions to prevent local users from opening the database file.