cvedb.io
CVE-2022-23651
MEDIUM · CVSS 4.7
EPSS exploitation probability: 0%
Published 2022-02-23T23:15:07.837 · Last modified 2026-06-17T04:30:34.030

Summary

b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. SDK users of the SqliteAccountInfo format are vulnerable while users of the InMemoryAccountInfo format are safe. The SqliteAccountInfo saves API keys (and bucket name-to-id mapping) in a local database file ($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info or a user-defined path). When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory containing the file is readable by a local attacker then during th

Affected products

backblaze — b2_python_software_development_kit

Does this affect you?

Add your gear to cvedb and we'll alert you only when backblaze ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.