Owasp Docker

# 00 Vulnerability Index

This document provides the index for the OWASP Docker Security Top 6 vulnerabilities.
Each entry includes its identifier, title, and primary category.

## Vulnerability catalog

| ID  | Title                                | Category                 |
|-----|--------------------------------------|--------------------------|
| D01 | Secure User Mapping                  | Privilege Management     |
| D02 | Patch Management Strategy            | Patch Management         |
| D03 | Network Segmentation and Firewalling | Network Security         |
| D04 | Secure Defaults and Hardening        | Configuration Management |
| D05 | Maintain Security Contexts           | Isolation                |
| D07 | Resource Protection                  | Resource Management      |

## Cross-reference matrix

Each vulnerability document follows a consistent structure:

1. Description — what the vulnerability is and how it manifests in Docker container environments.
2. Risk — concrete consequences of exploitation and business impact.
3. Vulnerability checklist — indicators that the environment is exposed.
4. Prevention controls — defensive measures and rectification steps.
5. Example attack scenarios — realistic exploitation narratives.
6. Detection guidance — signals and methods to identify exposure.
7. Remediation — immediate and long-term actions to contain and resolve.

## Category groupings

### Privilege Management

* D01 Secure User Mapping

### Patch Management

* D02 Patch Management Strategy

### Network Security

* D03 Network Segmentation and Firewalling

### Configuration Management

* D04 Secure Defaults and Hardening

### Isolation

* D05 Maintain Security Contexts

### Resource Management

* D07 Resource Protection

---

*🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.*


---
title: 'D01: Secure User Mapping'
description: OWASP Docker Top 6 reference for secure user mapping vulnerabilities including root container execution and privilege escalation
---

# 01 Secure User Mapping

Identifier: D01
Category: Privilege Management

## Description

Insecure user mapping occurs when container microservices run under the root user inside the
container.
If the service contains a weakness the attacker gains full privileges within the container.
While default protections such as Linux capabilities, AppArmor, or SELinux profiles remain, running
as root removes one layer of defense.
This broadens the attack surface and violates the principle of least privilege.
Privileged containers started with the `--privileged` flag are especially dangerous, as a breakout
from the microservice into the container is nearly equivalent to running without any container
isolation.

## Risk

* Full root-level access within the container upon exploitation of any service vulnerability.
* Privileged containers grant access to all Linux capabilities, host devices under `/dev`, and the
  `/sys` and `/proc` filesystems.
* Kernel module loading on the host becomes possible from a privileged container.
* Lateral movement to the host or other containers is significantly easier from a root context.
* Violation of least privilege principle increases blast radius of any compromise.

## Vulnerability checklist

* Container processes run as `root` (UID 0) rather than a dedicated non-root user.
* Dockerfiles lack a `USER` directive before the service entrypoint.
* The `--privileged` flag is used when starting containers.
* No Linux user namespace remapping is configured on the Docker daemon.
* SUID/SGID binaries exist in the container image and are not neutralized.
* Pod security policies or equivalent controls do not enforce non-root execution.

## Prevention controls

1. Never use the `--privileged