Security Researchers at Cisco vulnerability details (CVE-2019-5021) in Alpine distribution for the Docker container isolation system. The essence of the identified problem is that the default password for the root user was set to an empty password without blocking direct root login. Recall that Alpine is used to generate official images from the Docker project (the official builds used to be based on Ubuntu, but then there were on Alpine).
The problem has been present since the Alpine Docker 3.3 build and was caused by a regression change added in 2015 (before version 3.3, the line "root:!::0:::::" was used in /etc/shadow, and after flag "-d" the line "root:::0:::::") was added. The problem was initially identified and in November 2015, but in December by mistake again in the build files of the experimental branch, and then was moved to stable builds.
The information about the vulnerability indicates that the problem also manifests itself in the latest branch of Alpine Docker 3.9. Alpine developers in March fix and vulnerability starting with builds 3.9.2, 3.8.4, 3.7.3 and 3.6.5, but remains in the old 3.4.x and 3.5.x branches, which are no longer supported. In addition, the developers argue that the attack vector is very limited and requires the attacker to have access to the same infrastructure.
Source: opennet.ru