CVE-2022-23651

Name of the Vulnerable Software and Affected Versions b2-sdk-python versions 1.14.0 and below

Description The b2-sdk-python library contains a key disclosure vulnerability that can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. This vulnerability affects users of the SqliteAccountInfo format, while users of the InMemoryAccountInfo format are safe. The SqliteAccountInfo saves API keys and bucket name-to-id mapping in a local database file, which is initially world-readable and later altered to be private to the user. If the directory containing the file is readable by a local attacker, they can exploit the brief period between file creation and permission modification to read the sensitive information.

Recommendations For b2-sdk-python versions 1.14.0 and below, upgrade to b2-sdk-python 1.14.1 or later. If a local user might have opened a handle using this race condition, remove the affected database files and regenerate all application keys.