Microsoft fixes critical RCE flaw affecting Azure Cosmos DB

Analysts at Orca Security have found a critical vulnerability affecting Azure Cosmos DB that allowed unauthenticated read and write access to containers.

Named CosMiss, the security issue is in Azure Cosmos DB built-in Jupyter Notebooks that integrate into the Azure portal and Azure Cosmos DB accounts for querying, analyzing, and visualizing NoSQL data and results easier.

Azure Cosmos DB is Microsoft’s fully managed NoSQL database that features broad API type support for applications of all sizes.

Jupyter Notebooks is a web-based interactive platform that allows users to access Cosmos DB data.

When a user creates a new Notebook on Azure Cosmos DB, a new endpoint is created along with a unique new session/notebook ID. The researchers reviewed the traffic of the request from a newly created notebook to the server and noticed the existence of an Authorization Header.

Since Azure Cosmos DB is a fully managed, serverless distributed database, the fixes are taking place on the server side, so users don’t need to take any action to mitigate the risk.

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

Tell us about your needs.
Get an answer the same business day.

Tell us about your needs.
Get an answer the same business day.

Fill out the form below and get an answer from our experts within 1 business day.

Got an urgent request? Call us at 1-877-805-7475 or Book a meeting.

PCI-DSS

What happens next:

  • We reach out to learn about your objectives
  • We work together to define your project's scope
  • You get an all-inclusive, no engagement proposal

This field is for validation purposes and should be left unchanged.
Scroll to Top

BOOK A MEETING

Enter Your
Corporate Email

This site is registered on wpml.org as a development site.