services / Azure / Cosmos DB MongoDB user definition

A MongoDB User Definition is a data-plane database user account for the Cosmos DB for MongoDB API, holding the username, credential (password set on write, not returned on read), and the role definitions assigned to it.

Represents a credentialed data-plane identity for a single database account's data store.


Microsoft.​DocumentDB/​databaseAccounts/​mongodbUserDefinitions/​write

Creating or updating a MongoDB user definition lets an attacker provision a database user with a chosen password and attach privileged roles, establishing persistent credentialed data-plane access and escalating privilege.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​DocumentDB
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog