GHSA-p867-fxfr-ph2w · 深刻度: medium · エコシステム: pip — b2-sdk-python TOCTOU application key disclosure
b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. SDK users of the SqliteAccountInfo format are vulnerable while users of the InMemoryAccountInfo format are safe. The SqliteAccountInfo saves API keys (and bucket name-to-id mapping) in a local database file ($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info or a user-defined path). When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory containing the file is readable by a local attacker then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Consumers of this SDK who rely on it to save data using SqliteAccountInfo class should upgrade to the latest version of the SDK. Those who believe a local user might have opened a handle using this race condition, should remove the affected database files and regenerate all application keys. Users should upgrade to b2-sdk-python 1.14.1 or later.
総合評価: CVE-2022-23651 は低リスク(22.8/100)。CVSS 深刻度は中。悪用される可能性が高い(EPSS 0.21%、11 パーセンタイル) 推奨対応: 悪用情報と EPSS の推移を監視し、必要に応じて優先度を見直してください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.05% | 0.21% | +0.16% |
| 2 | 2025-04-06 | 0.11% | 0.05% | -0.07% |
| 3 | 2025-03-17 | — | 0.11% | — |
EPSS の全履歴 (全 5 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 4.7 | 3.1 | MEDIUM |
|
1.0 | 3.6 | [email protected] |
| 4.7 | 3.1 | MEDIUM |
|
1.0 | 3.6 | [email protected] |
| 1.9 | 2.0 | LOW |
|
3.4 | 2.9 | [email protected] |
GHSA-p867-fxfr-ph2w · 深刻度: medium · エコシステム: pip — b2-sdk-python TOCTOU application key disclosure
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| backblaze | b2_python_software_development_kit | <= 1.14.0 | cpe:2.3:a:backblaze:b2_python_software_development_kit:*:*:*:*:*:linux:*:* |
| backblaze | b2_python_software_development_kit | <= 1.14.0 | cpe:2.3:a:backblaze:b2_python_software_development_kit:*:*:*:*:*:mac:*:* |
| URL | タグ |
|---|---|
| https://github.com/Backblaze/b2-sdk-python/commit/62476638986e5b6d7459aca5ef8ce220760226e0 | Patch Third Party Advisory |
| https://github.com/Backblaze/b2-sdk-python/security/advisories/GHSA-p867-fxfr-ph2w | Third Party Advisory |
| https://pypi.org/project/b2sdk/ | Product |