Published: 08/05/2019 Updated: 15/05/2019
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 890
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.

Vulnerability Trend

Github Repositories

Base Images for Hanami 131 Contents Overview IMPORTANT NOTES Silent Gem Version Updates Alpine Linux Version No Qt-included Image Variants Building and Tagging the Images Images and Supported Tags Debian Stretch Images With hanami-model Without hanami-model Debian Slimmed-down Stretch Images Without hanami-model Alpine 39 Images With hanami-model Without hanami-m

Recent Articles

Alpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked
Threatpost • Tom Spring • 09 May 2019

For three years, some Alpine Linux Docker images have shipped with a root account and no password, opening the door for attackers to easily access vulnerable servers and workstations provisioned for the images.
Affected versions of Alpine Linux Docker distros include 3.3, 3.4, 3.5, 3.6, 3.7, 3.8 and 3.9 Alpine Docker Edge, according to Cisco Talos researchers who discovered the bug,  tested each version and released their findings on Wednesday. Vulnerable images of Alpine Linux Dockers w...