{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-13T04:21:22.706","vulnerabilities":[{"cve":{"id":"CVE-2022-23651","sourceIdentifier":"security-advisories@github.com","published":"2022-02-23T23:15:07.837","lastModified":"2024-11-21T06:49:01.377","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. SDK users of the SqliteAccountInfo format are vulnerable while users of the InMemoryAccountInfo format are safe. The SqliteAccountInfo saves API keys (and bucket name-to-id mapping) in a local database file ($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info or a user-defined path). When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory containing the file is readable by a local attacker then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Consumers of this SDK who rely on it to save data using SqliteAccountInfo class should upgrade to the latest version of the SDK. Those who believe a local user might have opened a handle using this race condition, should remove the affected database files and regenerate all application keys. Users should upgrade to b2-sdk-python 1.14.1 or later."},{"lang":"es","value":"b2-sdk-python es una biblioteca python para acceder al almacenamiento en la nube proporcionado por backblaze. Las versiones para Linux y Mac del SDK versión 1.14.0 y anteriores contienen una vulnerabilidad de divulgación de claves que, en determinadas condiciones, puede ser explotada por atacantes locales a mediante una condición de carrera de tiempo de comprobación (TOCTOU). Los usuarios del SDK del formato SqliteAccountInfo son vulnerables mientras que usuarios del formato InMemoryAccountInfo están a salvo. El formato SqliteAccountInfo guarda las claves de la API (y el mapeo de nombres de cubos a identificadores) en un archivo de base de datos local ($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info o una ruta definida por el usuario). Cuando es creado por primera vez, el archivo es legible para todo el mundo y es (normalmente unos pocos milisegundos) alterado más tarde para ser privado para el usuario. Si el directorio que contiene el archivo es legible por un atacante local, entonces durante el breve período entre la creación del archivo y la modificación de los permisos, un atacante local puede correr para abrir el archivo y mantener un manejo a él. Esto permite al atacante local leer el contenido del archivo después de que la información confidencial haya sido guardado en él. Los consumidores de este SDK que confíen en él para guardar datos usando la clase SqliteAccountInfo deberían actualizar a la última versión del SDK. Aquellos que crean que un usuario local puede haber abierto una cuenta usando esta condición de carrera, deberían eliminar los archivos de base de datos afectados y regenerar todas las claves de la aplicación. Los usuarios deben actualizar a b2-sdk-python versión 1.14.1 o posterior"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.0,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.0,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:P/I:N/A:N","baseScore":1.9,"accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":3.4,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-367"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:backblaze:b2_python_software_development_kit:*:*:*:*:*:linux:*:*","versionEndIncluding":"1.14.0","matchCriteriaId":"BC616D13-892D-4FB1-A217-41B775ACD9E9"},{"vulnerable":true,"criteria":"cpe:2.3:a:backblaze:b2_python_software_development_kit:*:*:*:*:*:mac:*:*","versionEndIncluding":"1.14.0","matchCriteriaId":"0203F027-571C-407C-A643-439AAEDDC78B"}]}]}],"references":[{"url":"https://github.com/Backblaze/b2-sdk-python/commit/62476638986e5b6d7459aca5ef8ce220760226e0","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/Backblaze/b2-sdk-python/security/advisories/GHSA-p867-fxfr-ph2w","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://pypi.org/project/b2sdk/","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/Backblaze/b2-sdk-python/commit/62476638986e5b6d7459aca5ef8ce220760226e0","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/Backblaze/b2-sdk-python/security/advisories/GHSA-p867-fxfr-ph2w","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://pypi.org/project/b2sdk/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"]}]}}]}