services / Azure / Cosmos DB MongoDB role definition
A MongoDB Role Definition is a data-plane RBAC role for the Cosmos DB for MongoDB API, specifying the set of database privileges (actions/resources) that can be granted to user definitions.
Defines the data-plane access-control model for a single database account's data store.
Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write
Creating or updating a MongoDB role definition lets an attacker craft or broaden a role's privileges (e.g. readWriteAnyDatabase), escalating the access of any user bound to that role within the database account.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security