Advisory No: TZCERT/SA/2021/08/31
Date of First Release: 31st August 2021
- Azure Cosmos DB
The vulnerability exists in the Azure Cosmos DB Jupyter Notebook feature. The exploitation of this vulnerability could allow a user to gain access to another customer’s resources by using the account’s primary read-write key.
The vulnerability is caused by a series of flaws in a Cosmos DB feature creating a loophole that allows any user to download, delete or manipulate a massive collection of commercial databases and read-write access to the underlying architecture of the Cosmos DB.
Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.
Microsoft has fixed the flaw and issued a workaround that requires customers to regenerate their primary read-write keys. Users and administrators are advised to follow the steps described in this technical documentation.