{"containers": {"cna": {"affected": [{"product": "B2_Command_Line_Tool", "vendor": "Backblaze", "versions": [{"status": "affected", "version": "< 3.2.1"}]}], "descriptions": [{"lang": "en", "value": "B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The command line tool saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path) when `b2 authorize-account` is first run. This happens regardless of whether a valid key is provided or not. When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory is readable by a local attacker and the user did not yet run `b2 authorize-account` then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Users that have not yet run `b2 authorize-account` should upgrade to B2 Command-Line Tool v3.2.1 before running it. Users that have run `b2 authorize-account` are safe if at the time of the file creation no other local users had read access to the local configuration file. Users that have run `b2 authorize-account` where the designated path could be opened by another local user should upgrade to B2 Command-Line Tool v3.2.1 and remove the database and regenerate all application keys. Note that `b2 clear-account` does not remove the database file and it should not be used to ensure that all open handles to the file are invalidated. If B2 Command-Line Tool cannot be upgraded to v3.2.1 due to a dependency conflict, a binary release can be used instead. Alternatively a new version could be installed within a virtualenv, or the permissions can be changed to prevent local users from opening the database file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-23T23:05:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Backblaze/B2_Command_Line_Tool/security/advisories/GHSA-8wr4-2wm6-w3pr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Backblaze/B2_Command_Line_Tool/commit/c74029f9f75065e8f7e3c3ec8e0a23fb8204feeb"}], "source": {"advisory": "GHSA-8wr4-2wm6-w3pr", "discovery": "UNKNOWN"}, "title": "B2 Command Line Tool TOCTOU application key disclosure ", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-23653", "STATE": "PUBLIC", "TITLE": "B2 Command Line Tool TOCTOU application key disclosure "}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "B2_Command_Line_Tool", "version": {"version_data": [{"version_value": "< 3.2.1"}]}}]}, "vendor_name": "Backblaze"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The command line tool saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path) when `b2 authorize-account` is first run. This happens regardless of whether a valid key is provided or not. When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory is readable by a local attacker and the user did not yet run `b2 authorize-account` then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Users that have not yet run `b2 authorize-account` should upgrade to B2 Command-Line Tool v3.2.1 before running it. Users that have run `b2 authorize-account` are safe if at the time of the file creation no other local users had read access to the local configuration file. Users that have run `b2 authorize-account` where the designated path could be opened by another local user should upgrade to B2 Command-Line Tool v3.2.1 and remove the database and regenerate all application keys. Note that `b2 clear-account` does not remove the database file and it should not be used to ensure that all open handles to the file are invalidated. If B2 Command-Line Tool cannot be upgraded to v3.2.1 due to a dependency conflict, a binary release can be used instead. Alternatively a new version could be installed within a virtualenv, or the permissions can be changed to prevent local users from opening the database file."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Backblaze/B2_Command_Line_Tool/security/advisories/GHSA-8wr4-2wm6-w3pr", "refsource": "CONFIRM", "url": "https://github.com/Backblaze/B2_Command_Line_Tool/security/advisories/GHSA-8wr4-2wm6-w3pr"}, {"name": "https://github.com/Backblaze/B2_Command_Line_Tool/commit/c74029f9f75065e8f7e3c3ec8e0a23fb8204feeb", "refsource": "MISC", "url": "https://github.com/Backblaze/B2_Command_Line_Tool/commit/c74029f9f75065e8f7e3c3ec8e0a23fb8204feeb"}]}, "source": {"advisory": "GHSA-8wr4-2wm6-w3pr", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-23653", "datePublished": "2022-02-23T23:05:11", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2022-02-23T23:05:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:backblaze:b2_command_line_tool:*:*:*:*:*:linux:*:*", "matchCriteriaId": "8C0E07A2-B0E4-4CB3-8A51-52A48CA903A7", "versionEndIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:backblaze:b2_command_line_tool:*:*:*:*:*:mac:*:*", "matchCriteriaId": "D48B24B7-6F45-48AD-BE6D-704C7FEDAE03", "versionEndIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The command line tool saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path) when `b2 authorize-account` is first run. This happens regardless of whether a valid key is provided or not. When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory is readable by a local attacker and the user did not yet run `b2 authorize-account` then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Users that have not yet run `b2 authorize-account` should upgrade to B2 Command-Line Tool v3.2.1 before running it. Users that have run `b2 authorize-account` are safe if at the time of the file creation no other local users had read access to the local configuration file. Users that have run `b2 authorize-account` where the designated path could be opened by another local user should upgrade to B2 Command-Line Tool v3.2.1 and remove the database and regenerate all application keys. Note that `b2 clear-account` does not remove the database file and it should not be used to ensure that all open handles to the file are invalidated. If B2 Command-Line Tool cannot be upgraded to v3.2.1 due to a dependency conflict, a binary release can be used instead. Alternatively a new version could be installed within a virtualenv, or the permissions can be changed to prevent local users from opening the database file."}, {"lang": "es", "value": "B2 Command Line Tool es la herramienta oficial de l\u00ednea de comandos para el servicio de almacenamiento en la nube de Backblaze. Las versiones para Linux y Mac de la herramienta de l\u00ednea de comandos B2, versi\u00f3n 3.2.0 y anteriores, contienen una vulnerabilidad de divulgaci\u00f3n de claves que, en determinadas condiciones, puede ser explotada por atacantes locales mediante una condici\u00f3n de carrera de tiempo de comprobaci\u00f3n de uso (TOCTOU). La herramienta de l\u00ednea de comandos guarda las claves de la API (y el mapeo de nombres de cubos a identificadores) en un archivo de base de datos local (\"$XDG_CONFIG_HOME/b2/account_info\", \"~/.b2_account_info\" o una ruta definida por el usuario) cuando es ejecutado \"b2 authorize-account\" por primera vez. Esto ocurre independientemente de si es proporcionada una clave v\u00e1lida o no. Cuando es creado por primera vez, el archivo es legible para todo el mundo y m\u00e1s tarde (normalmente unos milisegundos) es alterada para que sea privado para el usuario. Si el directorio es legible por un atacante local y el usuario a\u00fan no ha ejecutado \"b2 authorize-account\", entonces durante el breve per\u00edodo entre la creaci\u00f3n del archivo y la modificaci\u00f3n del permiso, un atacante local puede correr para abrir el archivo y mantener un manejo del mismo. Esto permite al atacante local leer el contenido despu\u00e9s del archivo una vez que la informaci\u00f3n confidencial ha sido guardada en \u00e9l. Los usuarios que a\u00fan no hayan ejecutado \"b2 authorize-account\" deber\u00edan actualizar a B2 Command Line Tool versi\u00f3n v3.2.1 antes de ejecutarla. Los usuarios que han ejecutado \"b2 authorize-account\" est\u00e1n seguros si en el momento de la creaci\u00f3n del archivo ning\u00fan otro usuario local ten\u00eda acceso de lectura al archivo de configuraci\u00f3n local. Los usuarios que hayan ejecutado \"b2 authorize-account\" cuando la ruta designada pueda ser abierta por otro usuario local deben actualizar a B2 Command-Line Tool versi\u00f3n v3.2.1 y eliminar la base de datos y regenerar todas las claves de aplicaci\u00f3n. Tenga en cuenta que \"b2 clear-account\" no elimina el archivo de la base de datos y no debe usarse para asegurar que todos los manejadores abiertos al archivo sean invalidados. Si la herramienta de l\u00ednea de comandos B2 no puede actualizarse a versi\u00f3n 3.2.1 debido a un conflicto de dependencias, puede usarse una versi\u00f3n binaria en su lugar. Tambi\u00e9n puede instalarse una nueva versi\u00f3n dentro de un virtualenv, o pueden cambiarse los permisos para evitar que usuarios locales abran el archivo de la base de datos"}], "id": "CVE-2022-23653", "lastModified": "2022-03-07T16:18:36.353", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-02-23T23:15:07.900", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Backblaze/B2_Command_Line_Tool/commit/c74029f9f75065e8f7e3c3ec8e0a23fb8204feeb"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Backblaze/B2_Command_Line_Tool/security/advisories/GHSA-8wr4-2wm6-w3pr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}