services / Azure / Cosmos DB database account
An Azure Cosmos DB (DocumentDB) database account, the top-level control-plane resource that hosts databases and containers and governs endpoints, regions, consistency, networking, identity, and backup configuration. It is a primary production data store.
Account master keys are root-equivalent data-plane credentials granting full read/write access to all data in the account, which makes this resource type security-sensitive.
Microsoft.DocumentDB/databaseAccounts/PrivateEndpointConnectionsApproval/action
Approves (or manages) a private endpoint connection request against the account. An attacker who controls or requests a malicious private endpoint can approve their own connection, granting it a private network path directly to the data plane that bypasses firewall and public-network-access restrictions.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security