Information Exposure Affecting b2 package, versions [,3.2.1)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-B2-2412706
- published24 Feb 2022
- disclosed24 Feb 2022
- creditJan Schejbal
Introduced: 24 Feb 2022
CVE-2022-23653 (opens in a new tab)How to fix?
Upgrade b2 to version 3.2.1 or higher.
Overview
b2 is a Command Line Tool for Backblaze B2
Affected versions of this package are vulnerable to Information Exposure. The command-line tool saves API keys (and bucket name-to-id mapping) in a local database file ($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info or a user-defined path) when b2 authorize-account is first run.
This happens regardless of whether a valid key is provided or not. When first created, the file is world-readable and is later altered to be private to the user.
If the directory is readable by a local attacker and the user did not yet run b2 authorize-account then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it.