services / Azure / API Management named values (properties)
Named values (properties) in an Azure API Management service are constant string values referenced across all API configurations and policies; they may be plain or secret-typed.
Secret-typed named values commonly store API keys, connection strings, and backend credentials; control-plane reads mask secret values (a separate listSecrets action returns them).
Microsoft.ApiManagement/service/properties/listSecrets/action
Returns the cleartext secret value of a named value, which commonly holds API keys, connection strings, or backend credentials, enabling credential exfiltration and reuse against the systems those secrets authenticate to.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security