Security News > 2021 > August > Critical Cosmos Database Flaw Affected Thousands of Microsoft Azure Customers
Cloud infrastructure security company Wiz on Thursday revealed details of a now-fixed Azure Cosmos database vulnerability that could have been potentially exploited to grant any Azure user full admin access to other customers' database instances without any authorization.
Cosmos DB is Microsoft's proprietary NoSQL database that's advertised as "a fully managed service" that "Takes database administration off your hands with automatic management, updates and patching."
"We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s)," Microsoft said in a statement.
The exploit identified by Wiz concerns a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, enabling an adversary to obtain the credentials corresponding to the target Cosmos DB account, including the Primary Key, which provides access to the administrative resources for the database account.
Although Microsoft notified over 30% of Cosmos DB customers about the potential security breach, Wiz expects the actual number to be much higher, given that the vulnerability has been exploitable for months.
"Every Cosmos DB customer should assume they've been exposed," Wiz researchers noted, adding, "We also recommend reviewing all past activity in your Cosmos DB account." Additionally, Microsoft is also urging its customers to regenerate their Cosmos DB Primary Keys to mitigate any risk arising from the flaw.