CVE-2020-13401
CVE-2020-13401 is a medium-severity vulnerability in Docker Engine with a CVSS 3.x base score of 6.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.
Key facts
- Severity: Medium (CVSS 3.x base score 6.0)
- CVSS v2: 6.0
- EPSS exploit prediction: 3% (85th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-20
- Affected product: Docker Engine
- Published:
- Last modified:
Description
An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.
Frequently asked questions
- What is CVE-2020-13401?
- An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.
- How severe is CVE-2020-13401?
- CVE-2020-13401 has a CVSS 3.x base score of 6.0, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2020-13401 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (85th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-13401?
- CVE-2020-13401 primarily affects Docker Engine. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-13401?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-13401 published?
- CVE-2020-13401 was published on 2020-06-02 and last updated on 2026-06-17.
References
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00040.html
- http://www.openwall.com/lists/oss-security/2020/06/01/5
- https://docs.docker.com/engine/release-notes/
- https://github.com/docker/docker-ce/releases/tag/v19.03.11
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DN4JQAOXBE3XUNK3FD423LHE3K74EMJT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZLKRCOJMOGUIJI2AS27BOZS3RBEF3K/
- https://security.gentoo.org/glsa/202008-15
- https://security.netapp.com/advisory/ntap-20200717-0002/
- https://www.debian.org/security/2020/dsa-4716
Affected products (5)
- cpe:2.3:a:docker:engine:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:broadcom:sannav:-:*:*:*:*:*:*:*
More vulnerabilities in Docker Engine
- CVE-2026-34040 — High (CVSS 8.8): Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that…
- CVE-2026-42306 — High (CVSS 7.2): Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and…
- CVE-2026-33997 — Medium (CVSS 6.8): Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that…
- CVE-2026-41568 — Medium (CVSS 6.1): Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and…
- CVE-2018-20699 — Medium (CVSS 4.9): Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large…
All CVEs affecting Docker Engine →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →