Researchers Disclose Details of Critical 'CosMiss' RCE Flaw Affecting Azure Cosmos DB


The IT giant claimed that the issue was first identified on August 12, 2022, and that it was fixed globally on October 6, 2022, two days after Orca Security made a responsible disclosure and gave the defect the name CosMiss.

According to researchers Lidor Ben Shitrit and Roee Sagi, “In short, if an attacker had knowledge of a Notebook’s ‘forwardingId,’ which is the UUID of the Notebook Workspace, they would have had full permissions on the Notebook without having to authenticate, including read and write access, as well as the ability to modify the file system of the container running the notebook. Read More…