services / Azure / Container registry credential sets
A credential set on an Azure Container Registry stores the configuration used to authenticate to an upstream registry for pull-through cache rules, referencing Key Vault secret URIs for the upstream credentials and binding a (typically user-assigned) managed identity.
Reading exposes auth wiring and the identity binding but not the raw secret values, which are held in Key Vault; writing can repoint authentication and bind an attacker-influenced identity.
Microsoft.ContainerRegistry/registries/credentialSets/delete
Deleting a credential set removes the authentication configuration that cache rules depend on, breaking upstream pull-through caching as a DoS-like disruption of supporting infrastructure.
Risks
Scope: MEDIUM
This privilege may grant access to confidential data, or its exploit can incur operational cost.
Links
Contributed by P0 Security