CVE-2022-23653

Name of the Vulnerable Software and Affected Versions B2 Command Line Tool versions 3.2.0 and below

Description The B2 Command Line Tool contains a key disclosure vulnerability that can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The tool saves API keys in a local database file ($XDG CONFIG HOME/b2/account info, ~/.b2 account info or a user-defined path) when b2 authorize-account is first run. The file is initially world readable and later altered to be private to the user, allowing a local attacker to read the contents during the brief period between file creation and permission modification.

Recommendations For users who have not yet run b2 authorize-account, upgrade to B2 Command-Line Tool v3.2.1 before running it. For users who have run b2 authorize-account and the designated path could be opened by another local user, upgrade to B2 Command-Line Tool v3.2.1 and remove the database and regenerate all application keys. If B2 Command-Line Tool cannot be upgraded to v3.2.1 due to a dependency conflict, use a binary release instead, install a new version within a virtualenv, or change the permissions to prevent local users from opening the database file.