Some Alpine Linux Docker images have shipped with a root account and no password. Cisco Talos researchers discovered the bug, tested each version and released their findings on Wednesday. Vulnerable images of Alpine Linux Dockers were available via the official Docker Hub portal since late 2015. The empty password in configuration file bug (CVE-2019-5021) has a critical CVSS rating of 9.8. The impact of the bug may be limited, according to some users chiming in on GitHub.
Source: https://threatpost.com/alpine-linux-docker-images-unlocked/144542/