cvedb.io
CVE-2022-23653
MEDIUM · CVSS 4.7
EPSS exploitation probability: 0%
Published 2022-02-23T23:15:07.900 · Last modified 2026-06-17T04:30:34.297

Summary

B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The command line tool saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path) when `b2 authorize-account` is first run. This happens regardless of whether a valid key is provided or not. When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory is readable by a local attacker and

Affected products

backblaze — b2_command_line_tool

Does this affect you?

Add your gear to cvedb and we'll alert you only when backblaze ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.