GHSA-P867-FXFR-PH2W
Vulnerability from github – Published: 2022-02-24 12:08 – Updated: 2024-09-04 20:56Impact
Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition.
SDK users of the SqliteAccountInfo format are vulnerable while users of the InMemoryAccountInfo format are safe. The SqliteAccountInfo saves API keys (and bucket name-to-id mapping) in a local database file ($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info or a user-defined path). When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory containing the file is readable by a local attacker then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it.
Consumers of this SDK who rely on it to save data using SqliteAccountInfo class should upgrade to the latest version of the SDK. Those who believe a local user might have opened a handle using this race condition, should remove the affected database files and regenerate all application keys.
Patches
Users should upgrade to b2-sdk-python 1.14.1 or later.
For more information
See the related advisory in the B2 Command Line Tool, a consumer of this SDK.
If you have any questions or comments about this advisory: * Open an issue in b2-sdk-python * Email us at security@backblaze.com
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "b2sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23651"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-24T12:08:24Z",
"nvd_published_at": "2022-02-23T23:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nLinux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition.\n\nSDK users of the `SqliteAccountInfo` format are vulnerable while users of the `InMemoryAccountInfo` format are safe. The `SqliteAccountInfo` saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path). When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory containing the file is readable by a local attacker then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it.\n\nConsumers of this SDK who rely on it to save data using `SqliteAccountInfo` class should upgrade to the latest version of the SDK. Those who believe a local user might have opened a handle using this race condition, should remove the affected database files and regenerate all application keys.\n\n### Patches\nUsers should upgrade to b2-sdk-python 1.14.1 or later.\n\n### For more information\nSee the related advisory in the [B2 Command Line Tool](https://github.com/Backblaze/B2_Command_Line_Tool), a consumer of this SDK.\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [b2-sdk-python](https://github.com/Backblaze/b2-sdk-python)\n* Email us at [security@backblaze.com](mailto:security@backblaze.com)\n",
"id": "GHSA-p867-fxfr-ph2w",
"modified": "2024-09-04T20:56:19Z",
"published": "2022-02-24T12:08:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Backblaze/b2-sdk-python/security/advisories/GHSA-p867-fxfr-ph2w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23651"
},
{
"type": "WEB",
"url": "https://github.com/Backblaze/b2-sdk-python/commit/62476638986e5b6d7459aca5ef8ce220760226e0"
},
{
"type": "PACKAGE",
"url": "https://github.com/Backblaze/b2-sdk-python"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/b2sdk/PYSEC-2022-33.yaml"
},
{
"type": "WEB",
"url": "https://pypi.org/project/b2sdk"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "b2-sdk-python TOCTOU application key disclosure "
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.