Cosmos DB notebooks lacked an authentication check, meaning that if an attacker
somehow had prior knowledge of a notebook’s temporary ‘forwardingId’ (a 128bit
cryptographically random GUID assigned to a short-lived workspace that expires
after an hour), they could gain full permissions on the notebook, including
read and write access and the ability to modify the file system of the
container running the notebook. These permissions would suffice for an
attacker to obtain remote code execution (RCE) in the notebook container.
However, this would not allow an attacker to execute notebooks, automatically
save notebooks in the victim’s (optionally) connected GitHub repository, or
access data in the Cosmos DB account. Following disclosure, Cosmos DB notebooks
now require an authorization token in the request header before allowing access.
No tracked CVEs