{"id":"CVE-2022-23653","summary":"B2 Command Line Tool TOCTOU application key disclosure ","details":"B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The command line tool saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path) when `b2 authorize-account` is first run. This happens regardless of whether a valid key is provided or not. When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory is readable by a local attacker and the user did not yet run `b2 authorize-account` then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Users that have not yet run `b2 authorize-account` should upgrade to B2 Command-Line Tool v3.2.1 before running it. Users that have run `b2 authorize-account` are safe if at the time of the file creation no other local users had read access to the local configuration file. Users that have run `b2 authorize-account` where the designated path could be opened by another local user should upgrade to B2 Command-Line Tool v3.2.1 and remove the database and regenerate all application keys. Note that `b2 clear-account` does not remove the database file and it should not be used to ensure that all open handles to the file are invalidated. If B2 Command-Line Tool cannot be upgraded to v3.2.1 due to a dependency conflict, a binary release can be used instead. Alternatively a new version could be installed within a virtualenv, or the permissions can be changed to prevent local users from opening the database file.","aliases":["GHSA-8wr4-2wm6-w3pr","PYSEC-2022-32"],"modified":"2026-04-10T04:45:20.344897Z","published":"2022-02-23T23:05:11Z","database_specific":{"cwe_ids":["CWE-367"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23653.json"},"references":[{"type":"ADVISORY","url":"https://github.com/Backblaze/B2_Command_Line_Tool/security/advisories/GHSA-8wr4-2wm6-w3pr"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23653.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23653"},{"type":"FIX","url":"https://github.com/Backblaze/B2_Command_Line_Tool/commit/c74029f9f75065e8f7e3c3ec8e0a23fb8204feeb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/backblaze/b2_command_line_tool","events":[{"introduced":"0"},{"fixed":"c74029f9f75065e8f7e3c3ec8e0a23fb8204feeb"}]}],"versions":["v0.3.10","v0.3.12","v0.4.0","v0.4.10","v0.4.4","v0.4.6","v0.4.8","v0.5.0","v0.5.2","v0.5.4","v0.5.6","v0.6.0","v0.6.2","v0.6.4","v0.6.6","v0.6.8","v0.7.0","v0.7.2","v0.7.4","v1.0.0","v1.1.0","v1.2.0","v1.3.0","v1.3.2","v1.3.4","v1.3.6","v1.3.8","v1.4.0","v1.4.2","v2.0.0","v2.0.2","v2.1.0","v2.2.0","v2.3.0","v2.4.0","v3.0.1","v3.0.2","v3.0.3","v3.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23653.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}