CVE-2022-23651: b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a ...

Description

b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. SDK users of the SqliteAccountInfo format are vulnerable while users of the InMemoryAccountInfo format are safe. The SqliteAccountInfo saves API keys (and bucket name-to-id mapping) in a local database file ($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info or a user-defined path). When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory containing the file is readable by a local attacker then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Consumers of this SDK who rely on it to save data using SqliteAccountInfo class should upgrade to the latest version of the SDK. Those who believe a local user might have opened a handle using this race condition, should remove the affected database files and regenerate all application keys. Users should upgrade to b2-sdk-python 1.14.1 or later.

Metrics

CVSS 3.1

4.7/10

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.21%

11.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-367

Affected Software

Vendor	Product	Versions
Backblaze	B2 Python Software Development Kit	<= 1.14.0

References

https://github.com/Backblaze/b2-sdk-python/commit/62476638986e5b6d7459aca5ef8ce220760226e0Patch, Third Party Advisory
https://github.com/Backblaze/b2-sdk-python/security/advisories/GHSA-p867-fxfr-ph2wThird Party Advisory
https://pypi.org/project/b2sdk/Product
https://github.com/Backblaze/b2-sdk-python/commit/62476638986e5b6d7459aca5ef8ce220760226e0Patch, Third Party Advisory
https://github.com/Backblaze/b2-sdk-python/security/advisories/GHSA-p867-fxfr-ph2wThird Party Advisory
https://pypi.org/project/b2sdk/Product

Timeline

Published: Feb 23, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-23651?

b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. SDK users of the SqliteAccountInfo format are vulnerable while users of the InMemoryAccountInfo format are safe. The SqliteAccountInfo saves API keys (and bucket name-to-id mapping) in a local database file ($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info or a user-defined path). When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory containing the file is readable by a local attacker then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Consumers of this SDK who rely on it to save data using SqliteAccountInfo class should upgrade to the latest version of the SDK. Those who believe a local user might have opened a handle using this race condition, should remove the affected database files and regenerate all application keys. Users should upgrade to b2-sdk-python 1.14.1 or later.

How severe is CVE-2022-23651?

CVE-2022-23651 has a CVSS score of 4.7/10 (MEDIUM severity). The EPSS model estimates a 0.21% probability of exploitation in the next 30 days.

How do I fix CVE-2022-23651?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.