CVE-2016-8867 (docker)
Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.
Source: CVE-2016-8867 (docker)