SCA: security update for b2sdk (GHSA-p867-fxfr-ph2w)

medium Tenable Cloud Security Plugin ID 417395

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of
the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can
be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. SDK users of
the SqliteAccountInfo format are vulnerable while users of the InMemoryAccountInfo format are safe. The
SqliteAccountInfo saves API keys (and bucket name-to-id mapping) in a local database file
($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info or a user-defined path). When first created, the
file is world readable and is (typically a few milliseconds) later altered to be private to the user. If
the directory containing the file is readable by a local attacker then during the brief period between
file creation and permission modification, a local attacker can race to open the file and maintain a
handle to it. This allows the local attacker to read the contents after the file after the sensitive
information has been saved to it. Consumers of this SDK who rely on it to save data using
SqliteAccountInfo class should upgrade to the latest version of the SDK. Those who believe a local user
might have opened a handle using this race condition, should remove the affected database files and
regenerate all application keys. Users should upgrade to b2-sdk-python 1.14.1 or later. (CVE-2022-23651)

See Also

https://github.com/advisories/GHSA-p867-fxfr-ph2w

Plugin Details

Severity: Medium

ID: 417395

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 1.9

Temporal Score: 1.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2022-23651

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.7

Threat Score: 1.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/24/2022

Vulnerability Publication Date: 2/23/2022

Reference Information

CVE: CVE-2022-23651

cwe: CWE-367