CVE-2022-23651
b2-sdk-python TOCTOU application key disclosure
描述
### Impact Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. SDK users of the `SqliteAccountInfo` format are vulnerable while users of the `InMemoryAccountInfo` format are safe. The `SqliteAccountInfo` saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path). When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory containing the file is readable by a local attacker then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Consumers of this SDK who rely on it to save data using `SqliteAccountInfo` class should upgrade to the latest version of the SDK. Those who believe a local user might have opened a handle using this race condition, should remove the affected database files and regenerate all application keys. ### Patches Users should upgrade to b2-sdk-python 1.14.1 or later. ### For more information See the related advisory in the [B2 Command Line Tool](https://github.com/Backblaze/B2_Command_Line_Tool), a consumer of this SDK. If you have any questions or comments about this advisory: * Open an issue in [b2-sdk-python](https://github.com/Backblaze/b2-sdk-python) * Email us at [[email protected]](mailto:[email protected])
如何修補 CVE-2022-23651
要修補 CVE-2022-23651,請將受影響套件升級到下列已修補版本。
- —升級至 1.14.1 或更新版本
- —升級至 62476638986e5b6d7459aca5ef8ce220760226e0 或更新版本
CVE-2022-23651 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。