services / Azure / ACR registry tokens
ACR tokens are named, repository-scoped access principals bound to scope maps that authorize pull/push/delete operations against a container registry.
Tokens are credential-backed access identities for the registry's image supply chain; their passwords are generated separately via the credentials action and are not returned by read.
Microsoft.ContainerRegistry/registries/tokens/write
Create/Update token provisions a durable attacker-controlled scoped credential identity and can broaden its scope-map permissions (push/pull/delete), establishing persistent privileged access to registry content.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security