services / Azure / Container registry quarantined images
Quarantined images are container images held in a gated, not-yet-validated state in an Azure Container Registry pending security scanning/content-trust approval before they may be pulled normally.
The quarantine gate is a defense control; reading/modifying it bypasses image vetting and can expose unvetted artifact content.
Microsoft.ContainerRegistry/registries/quarantine/write
Modifies quarantine state, letting an attacker mark a malicious/unscanned image as passed, bypassing the quarantine security gate so a poisoned image becomes pullable into production.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog