services / Azure / Container registry scope maps
Scope maps define the repository-level permissions (content/pull/push/delete actions per repository) that are bound to Azure Container Registry tokens, forming the registry's repository-scoped access-control model.
Scope maps are ACR's RBAC mechanism for token-based access; creating/altering them grants or revokes registry access.
Microsoft.ContainerRegistry/registries/scopeMaps/write
Create/update grants or broadens repository-level permissions bound to registry tokens, directly escalating registry access (ACR's RBAC grant mechanism) and altering the access-control policy.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security