services / Azure / Container registry repository image content
The data-plane image/artifact content of repositories in an Azure Container Registry: the actual container image layers, manifests, and OCI artifacts that downstream Kubernetes clusters and workloads pull and run.
Image layers routinely embed proprietary application source/binaries, configuration, and baked-in secrets; controlling content is a supply-chain position over everything that consumes the registry.
Microsoft.ContainerRegistry/registries/repositories/content/write
Pushing images lets an attacker overwrite trusted tags with malicious/backdoored content that downstream clusters will pull and execute, enabling supply-chain manipulation and hijacking of compute via the deployed workloads.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security