services / Azure / Mongo Cluster users
Database users (data-plane accounts) defined on an Azure Cosmos DB for MongoDB (vCore) Mongo Cluster, including their roles/privileges on the cluster's databases.
These are the database identities that authenticate to and authorize access against the production data store.
Microsoft.DocumentDB/mongoClusters/users/write
Create/update of a database user lets an attacker mint a new credentialed account, reset an existing user's password, or grant elevated database roles, establishing persistent privileged data-plane access.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog