services / Azure / Container registry quarantined images

Quarantined images are container images held in a gated, not-yet-validated state in an Azure Container Registry pending security scanning/content-trust approval before they may be pulled normally.

The quarantine gate is a defense control; reading/modifying it bypasses image vetting and can expose unvetted artifact content.


Microsoft.​ContainerRegistry/​registries/​quarantine/​read

Pulls quarantined images, exporting the image content/layers (which may contain sensitive code and data) before they have passed the security gate.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerRegistry
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog