services / Azure / Container registry quarantined images

Quarantined images are container images held in a gated, not-yet-validated state in an Azure Container Registry pending security scanning/content-trust approval before they may be pulled normally.

The quarantine gate is a defense control; reading/modifying it bypasses image vetting and can expose unvetted artifact content.


Microsoft.​ContainerRegistry/​registries/​quarantine/​write

Modifies quarantine state, letting an attacker mark a malicious/unscanned image as passed, bypassing the quarantine security gate so a poisoned image becomes pullable into production.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerRegistry
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog