CVE-2019-5021
Description
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the root user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Alpine Linux Docker images since v3.3 have a NULL password for root, allowing privilege escalation when PAM or shadow is used.
Vulnerability
The Official Alpine Linux Docker images (versions 3.3 through 3.9 and edge) contain a NULL password for the root user in /etc/shadow, a regression introduced in December 2015 [1]. This results in a blank sp_pwdp field, causing the system to treat the root account as having no password rather than locked [1]. Affected versions include all releases from v3.3 onward, with v3.5, v3.4, and v3.3 being end-of-life and still vulnerable [2].
Exploitation
An attacker must first gain shell access to the container (e.g., through an unrelated vulnerability) or have local user access. If the shadow or linux-pam packages are installed, the system may use /etc/shadow for authentication, and the empty root password allows the attacker to switch to the root user without providing a password [2]. No network-based remote exploitation is possible without prior access.
Impact
Successful exploitation results in privilege escalation from an unprivileged user to root within the container, granting full control over the container's resources and data [2]. The CVSSv3 score is 9.8 (Critical) due to the potential for complete compromise of confidentiality, integrity, and availability [1].
Mitigation
Fixed releases are available as of 7 March 2019: edge (20190228 snapshot), v3.9.2, v3.8.4, v3.7.3, and v3.6.5 [2]. Users of older or EOL versions (v3.3 through v3.5) can apply a workaround by adding the following line to their Dockerfile:
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
This disables the root password by replacing the empty field with !. Alternatively, avoid installing linux-pam or shadow packages in the container [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- Range: >=v3.3
- Range: >=3.3
- osv-coords5 versionspkg:rpm/opensuse/system-user-root&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/system-user-root&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/suse-sles12sp3-image&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/system-user-root&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/system-user-root&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1
< 20190513-lp151.3.3.1+ 4 more
- (no CPE)range: < 20190513-lp151.3.3.1
- (no CPE)range: < 20190513-lp151.3.3.1
- (no CPE)range: < 2.0.2-22.1
- (no CPE)range: < 20190513-3.3.1
- (no CPE)range: < 20190513-3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.htmlmitrevendor-advisoryx_refsource_SUSE
- www.securityfocus.com/bid/108288mitrevdb-entryx_refsource_BID
- alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.htmlmitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20190510-0001/mitrex_refsource_CONFIRM
- support.f5.com/csp/article/K25551452mitrex_refsource_CONFIRM
- talosintelligence.com/vulnerability_reports/TALOS-2019-0782mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.