
NotCVE-2025-0001 – Insufficient network isolation
https://notcve.org/view.php?id=NotCVE-2025-0001
05 Jun 2025 — When you run a container on the default Docker “bridge” network, Docker sets up NAT (Network Address Translation) rules using your system’s firewall (via iptables). For example, the following command forwards traffic from port 8080 on your host to port 80 in the container. docker run -d -p 8080:80 my-web-app However, if your host’s filter-FORWARD chain is permissive (i.e., ACCEPT by default) and net.ipv4.ip_forward is enabled, unpublished ports could also be remotely accessible under certain conditions. ... • https://www.docker.com/blog/docker-engine-28-hardening-container-networking-by-default/ • CWE-653: Improper Isolation or Compartmentalization •

CVE-2020-13401 – Debian Security Advisory 4716-1
https://notcve.org/view.php?id=CVE-2020-13401
02 Jun 2020 — An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. Se detectó un problema en Docker Engine versiones anteriores a 19.03.11. Un atacante en un contenedor, con la capacidad CAP_NET_RAW, puede diseñar anuncios de router IPv6, y en consecuencia falsificar hosts IPv6 externos, obtener información confidenc... • https://github.com/arax-zaeimi/Docker-Container-CVE-2020-13401 • CWE-20: Improper Input Validation •

CVE-2019-5736 – runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout
https://notcve.org/view.php?id=CVE-2019-5736
11 Feb 2019 — runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/sel... • https://packetstorm.news/files/id/165197 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-672: Operation on a Resource after Expiration or Release •

CVE-2018-20699 – docker: Memory exhaustion via large integer used with --cpuset-mems or --cpuset-cpus
https://notcve.org/view.php?id=CVE-2018-20699
12 Jan 2019 — Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. Docker Engine, en versiones anteriores a la 18.09, permite que los atacantes provoquen una denegación de servicio (consumo de la memoria dockerd) mediante un entero grande en los valores --cpuset-mems o --cpuset-cpus. Esto está relacionado con daemon/daemon_uni... • https://access.redhat.com/errata/RHSA-2019:0487 • CWE-400: Uncontrolled Resource Consumption •

CVE-2014-8178 – SUSE Security Advisory - SUSE-SU-2015:1757-1
https://notcve.org/view.php?id=CVE-2014-8178
14 Oct 2015 — Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands. Docker Engine versiones anteriores a la versión 1.8.3 y CS Docker Engine versiones anteriores a la versión 1.6.2-CS7, no utilizan un identificador único de forma global para almacenar capas de imágenes, lo que facilita a atacantes envenenar la caché de imágenes por medio de u... • http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html • CWE-20: Improper Input Validation •

CVE-2014-8179 – SUSE Security Advisory - SUSE-SU-2015:1757-1
https://notcve.org/view.php?id=CVE-2014-8179
14 Oct 2015 — Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation. Docker Engine versiones anteriores a la versión 1.8.3 y CS Docker Engine versiones anteriores a la versión 1.6.2-CS7 no comprueba y extrae apropiadamente el objeto manifiesto desde su representación JSON durante una extracción, lo que permit... • http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html • CWE-20: Improper Input Validation •