Docker creates network bridges that accept IPv6 router advertisements by default. An attacker able to execute code in a container could exploit this to spoof rogue IPv6 router advertisements to perform a MitM attack against the host network.
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Etienne Champetier
Mitigation: Prevent untrusted, non-privileged containers from running with CAP_NET_RAW.
Upstream Patch: https://github.com/moby/libnetwork/commit/153d0769a1181bf591a9637fd487a541ec7db1e6
External References: https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8 https://docs.docker.com/engine/release-notes/#190311
quay.io runs on OpenShift Dedicated- so AFAIK there is no docker runtime available. The quay.io builders do perform docker builds but these are done within disposable VMs that only exist for the duration of the build.