services / Azure / Container registry image content (pull)
The data-plane image-pull capability of an Azure Container Registry, allowing download of full container image layers and manifests.
Container images frequently bundle proprietary application code, binaries, configuration, and baked-in secrets, making the registry a sensitive production artifact store.
Microsoft.ContainerRegistry/registries/pull/read
Pulling images exports full container artifacts, exfiltrating application code as well as embedded secrets, configuration, and sensitive data in image layers.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog