There was a CVE in February [0][1] that escaped out of Docker's default settings. runc has a few of these over the last few years, it isn't inconceivable that there are more to be found.
Docker does do a decent job of setting some sensible defaults - but it isn't a security sandbox and they don't market it as such.
Docker does do a decent job of setting some sensible defaults - but it isn't a security sandbox and they don't market it as such.
[0] https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-fr...
[1] https://seclists.org/oss-sec/2019/q1/119