services / Azure / ACR task runs

ACR taskruns are quick-task / task execution records that run containerized build and run steps on ACR-managed compute, frequently under the registry's or task's assigned managed identity.

Taskruns execute attacker-definable workloads and their full details can embed source and custom-registry login credentials.


Microsoft.​ContainerRegistry/​registries/​taskruns/​listDetails/​action

listDetails returns the full run request including embedded source and custom-registry login credentials, allowing an attacker to export reusable secret material and pivot into those registries/sources.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerRegistry
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog