services / Azure / Container registry image content (pull)

The data-plane image-pull capability of an Azure Container Registry, allowing download of full container image layers and manifests.

Container images frequently bundle proprietary application code, binaries, configuration, and baked-in secrets, making the registry a sensitive production artifact store.


Microsoft.​ContainerRegistry/​registries/​pull/​read

Pulling images exports full container artifacts, exfiltrating application code as well as embedded secrets, configuration, and sensitive data in image layers.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerRegistry
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog