services / Azure / API Management self-hosted gateways
A self-hosted gateway is a containerized API Management gateway registered with an APIM service instance that proxies and applies policies to API traffic for backend services, deployable outside Azure.
Gateways front a single API surface/function; their keys and tokens are connection credentials, and their configuration can embed backend secrets and named values.
Microsoft.ApiManagement/service/gateways/token/action
Alias of generateToken that returns the gateway's Shared Access Authorization Token, a usable bearer credential enabling impersonation and lateral movement as the gateway.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security