CVE-2022-23651 is a medium-severity vulnerability identified in the Backblaze b2-sdk-python library, specifically versions 1.14.0 and earlier. This Python SDK is used to interact with Backblaze's cloud storage services. The vulnerability arises from a time-of-check to time-of-use (TOCTOU) race condition in the handling of local credential storage when using the SqliteAccountInfo format. This format stores sensitive API keys and bucket name-to-ID mappings in a local SQLite database file, typically located at $XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info, or a user-defined path. Upon creation, this file is initially world-readable before its permissions are quickly changed to restrict access to the user only. If the directory containing this file is readable by a local attacker, the attacker can exploit the brief window between file creation and permission modification to open and maintain a handle to the file. This allows the attacker to read sensitive credentials even after permissions are tightened, effectively disclosing API keys. The InMemoryAccountInfo format is not vulnerable since it does not persist credentials to disk. Exploitation requires local access and the ability to read the directory containing the credential file. There are no known exploits in the wild, and the issue was addressed in version 1.14.1 of the SDK. Users relying on the vulnerable SqliteAccountInfo format should upgrade to 1.14.1 or later, remove any potentially compromised credential files, and regenerate all API keys to mitigate any risk of credential compromise.

For European organizations using the Backblaze b2-sdk-python library with the vulnerable SqliteAccountInfo format, this vulnerability poses a risk of local credential disclosure. If an attacker gains local access—such as through compromised user accounts, insider threats, or lateral movement within a network—they could extract API keys used to access cloud storage. This could lead to unauthorized data access, data exfiltration, or manipulation of cloud-stored data, impacting confidentiality and integrity. Although exploitation requires local access and directory readability, environments with shared workstations, insufficient file system permissions, or weak endpoint security controls are particularly at risk. The impact is heightened for organizations that store sensitive or regulated data in Backblaze cloud storage, including sectors like finance, healthcare, and critical infrastructure. The vulnerability does not directly affect availability but could indirectly disrupt operations if data integrity is compromised or if keys are revoked following a breach. Given the lack of known exploits, the threat is currently theoretical but should be addressed proactively to prevent potential escalation from initial local compromise to cloud resource compromise.

1. Upgrade the b2-sdk-python library to version 1.14.1 or later immediately to eliminate the race condition vulnerability. 2. Audit and restrict directory permissions containing the credential files to prevent unauthorized local users from reading or listing directory contents. 3. Transition from using the vulnerable SqliteAccountInfo format to the InMemoryAccountInfo format where feasible, as it does not persist credentials to disk. 4. Implement strict endpoint security controls to prevent unauthorized local access, including strong user authentication, endpoint detection and response (EDR) solutions, and regular privilege audits. 5. After patching, delete existing credential files stored by the vulnerable SDK and regenerate all API keys to invalidate any potentially compromised credentials. 6. Monitor local system logs and access patterns for unusual file access or process behavior that could indicate attempts to exploit this race condition. 7. Educate developers and DevOps teams about secure credential storage practices and the risks of TOCTOU vulnerabilities in local file handling. 8. Consider deploying file system integrity monitoring tools to detect unauthorized access or changes to sensitive configuration directories.