Published: 08/05/2019 Updated: 03/06/2019
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 891
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.

Vulnerability Trend

Github Repositories

Base Images for Hanami 131 Contents Overview IMPORTANT NOTES Silent Gem Version Updates Alpine Linux Version No Qt-included Image Variants Building and Tagging the Images Images and Supported Tags Debian Stretch Images With hanami-model Without hanami-model Debian Slimmed-down Stretch Images Without hanami-model Alpine 39 Images With hanami-model Without hanami-m

Fun-Projects I started reading articles that walk through how to make different things and decided to make one entirely self-contained repo that housed all the projects I've come across that I tried doing The source for each project will always be at the top of the page with a url link to the page where I found it I'll also include the basics of how to run the proj

Recent Articles

194 of The Top 1000 Docker Containers Don’t Have Root Passwords
BleepingComputer • Sergiu Gatlan • 21 May 2019

Cisco Talos' discovery that the Alpine Linux distribution Docker image came with a blank root password (CVE-2019-5021) led to the discovery that 194 of the top 1000 most popular Docker containers also have no root passwords.
As part of their report, Cisco Talos' researchers said that "The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilize Linux PAM [Pluggable Authentication Modules],...

Alpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked
Threatpost • Tom Spring • 09 May 2019

For three years, some Alpine Linux Docker images have shipped with a root account and no password, opening the door for attackers to easily access vulnerable servers and workstations provisioned for the images.
Affected versions of Alpine Linux Docker distros include 3.3, 3.4, 3.5, 3.6, 3.7, 3.8 and 3.9 Alpine Docker Edge, according to Cisco Talos researchers who discovered the bug,  tested each version and released their findings on Wednesday. Vulnerable images of Alpine Linux Dockers w...

Bug in Alpine Linux Docker Image Leaves Root Account Unlocked
BleepingComputer • Ionut Ilascu • 08 May 2019

A security vulnerability in the Official Docker images based on the  Alpine Linux distribution allowed for more than three years logging into the root account using a blank password.
Tracked as CVE-2019-5021, the vulnerability has a critical severity score of 9.8. It was initially reported in build 3.2 of Alpine Linux Docker image and patched in November 2015, with regression tests added to prevent it from occurring in the future.
However, a new commit was pushed later that year ...