A critical security vulnerability in Microsoft Azure’s API Connection architecture has been discovered that could allow attackers to completely compromise resources across different tenant environments, potentially exposing sensitive data stored in Key Vaults, Azure SQL databases, and third-party services like Jira and Salesforce.
The vulnerability, which earned a security researcher a $40,000 bounty from Microsoft and a presentation slot at Black Hat, exploited Azure’s shared API Management (APIM) instance where all API Connections are created globally.
https://gbhackers.com/azure-default-api ... tion-flaw/