Common Weakness Enumeration

CWE-420

Allowed

Unprotected Alternate Channel

Abstraction: Base · Status: Draft

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

71 vulnerabilities reference this CWE, most recent first.

GHSA-RG5H-X2JJ-82PX

Vulnerability from github – Published: 2025-09-11 21:31 – Updated: 2025-09-11 21:31
VLAI
Details

An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability:

An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate communication channel which could allow the attacker, under certain conditions, to directly interact with backend LXCO API services typically inaccessible to users. While access controls may limit the scope of interaction, this could result in unauthorized access to internal functionality or data. This issue is not exploitable from remote networks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-11T19:15:35Z",
    "severity": "HIGH"
  },
  "details": "An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability:\n\nAn attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate communication channel which could allow the attacker, under certain conditions, to directly interact with backend LXCO API services typically inaccessible to users. While access controls may limit the scope of interaction, this could result in unauthorized access to internal functionality or data. This issue is not exploitable from remote networks.",
  "id": "GHSA-rg5h-x2jj-82px",
  "modified": "2025-09-11T21:31:55Z",
  "published": "2025-09-11T21:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8557"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-201014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RH5Q-V9WW-RQGM

Vulnerability from github – Published: 2025-07-18 21:30 – Updated: 2025-10-22 00:33
VLAI
Details

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-18T19:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.",
  "id": "GHSA-rh5q-v9ww-rqgm",
  "modified": "2025-10-22T00:33:19Z",
  "published": "2025-07-18T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54309"
    },
    {
      "type": "WEB",
      "url": "https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309"
    },
    {
      "type": "WEB",
      "url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025"
    },
    {
      "type": "WEB",
      "url": "https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9X5-M47G-3GX6

Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34
VLAI
Details

IBM Personal Communications v14 and v15 include a Windows service that is vulnerable to local privilege escalation (LPE). The vulnerability allows any interactively logged in users on the target computer to run commands with full privileges in the context of NT AUTHORITY\SYSTEM. This allows for a low privileged attacker to escalate their privileges. This vulnerability is due to an incomplete fix for CVE-2024-25029.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T16:15:24Z",
    "severity": "HIGH"
  },
  "details": "IBM Personal Communications v14 and v15 include a Windows service that is vulnerable to local privilege escalation (LPE). The vulnerability allows any interactively logged in users on the target computer to run commands with full privileges in the context of NT AUTHORITY\\SYSTEM. This allows for a low privileged attacker to escalate their privileges. This vulnerability is due to an incomplete fix for CVE-2024-25029.",
  "id": "GHSA-w9x5-m47g-3gx6",
  "modified": "2025-04-08T18:34:41Z",
  "published": "2025-04-08T18:34:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1095"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7230335"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQV3-8CM6-H6WG

Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-01-06 22:23
VLAI
Summary
Improper Authentication in Kubernetes
Details

A security issue was discovered in the Kubelet and kube-proxy components of Kubernetes which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. For example, if a cluster administrator runs a TCP service on a node that listens on 127.0.0.1:1234, because of this bug, that service would be potentially reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. If the example service on port 1234 required no additional authentication (because it assumed that only other localhost processes could reach it), then it could be vulnerable to attacks that make use of this bug.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.18.0"
            },
            {
              "fixed": "1.18.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.17.0"
            },
            {
              "fixed": "1.17.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T19:30:36Z",
    "nvd_published_at": "2020-07-27T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A security issue was discovered in the Kubelet and kube-proxy components of Kubernetes which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node\u0027s network namespace. For example, if a cluster administrator runs a TCP service on a node that listens on 127.0.0.1:1234, because of this bug, that service would be potentially reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. If the example service on port 1234 required no additional authentication (because it assumed that only other localhost processes could reach it), then it could be vulnerable to attacks that make use of this bug.",
  "id": "GHSA-wqv3-8cm6-h6wg",
  "modified": "2023-01-06T22:23:41Z",
  "published": "2022-02-15T01:57:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bottlerocket-os/bottlerocket/security/advisories/GHSA-wqv3-8cm6-h6wg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8558"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/92315"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843358"
    },
    {
      "type": "WEB",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8558"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubernetes/kubernetes"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tabbysable/POC-2020-8558"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE"
    },
    {
      "type": "WEB",
      "url": "https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200821-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2020/07/08/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Authentication in Kubernetes"
}

GHSA-WXXX-GVQV-XP7P

Vulnerability from github – Published: 2026-05-11 16:17 – Updated: 2026-05-11 16:17
VLAI
Summary
LiteLLM has a sandbox escape in custom-code guardrail
Details

Impact

The POST /guardrails/test_custom_code endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.

Reaching the endpoint requires a proxy-admin credential in default configurations.

Patches

Fixed in 1.83.11. The hand-rolled sandbox has been replaced with RestrictedPython. Upgrade to 1.83.11 or later.

Workarounds

If upgrading is not immediately possible, block POST /guardrails/test_custom_code at your reverse proxy or API gateway.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litellm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.81.8"
            },
            {
              "fixed": "1.83.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420",
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:17:23Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe `POST /guardrails/test_custom_code` endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process \u2014 which runs as root in the default Docker image.\n\n**Reaching the endpoint requires a proxy-admin credential** in default configurations.\n\n### Patches\n\nFixed in **`1.83.11`**. The hand-rolled sandbox has been replaced with `RestrictedPython`. Upgrade to `1.83.11` or later.\n\n### Workarounds\n\nIf upgrading is not immediately possible, block `POST /guardrails/test_custom_code` at your reverse proxy or API gateway.\n\n### References\n\n- Patched release: [`v1.83.10-stable`](https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable)",
  "id": "GHSA-wxxx-gvqv-xp7p",
  "modified": "2026-05-11T16:17:23Z",
  "published": "2026-05-11T16:17:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-wxxx-gvqv-xp7p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40217"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BerriAI/litellm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable"
    },
    {
      "type": "WEB",
      "url": "https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LiteLLM has a sandbox escape in custom-code guardrail"
}

GHSA-X6FH-7QMF-69XH

Vulnerability from github – Published: 2025-10-23 06:31 – Updated: 2025-10-23 16:49
VLAI
Summary
Slack Nebula may accept arbitrary source IP addresses
Details

Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/slackhq/nebula"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.4"
            },
            {
              "fixed": "1.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-23T16:49:07Z",
    "nvd_published_at": "2025-10-23T04:18:57Z",
    "severity": "MODERATE"
  },
  "details": "Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.",
  "id": "GHSA-x6fh-7qmf-69xh",
  "modified": "2025-10-23T16:49:07Z",
  "published": "2025-10-23T06:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/slackhq/nebula/pull/1493"
    },
    {
      "type": "WEB",
      "url": "https://github.com/slackhq/nebula/pull/1494"
    },
    {
      "type": "WEB",
      "url": "https://github.com/slackhq/nebula/commit/e264a0ff888c7bf0568579306755a60fc42f6ecc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/slackhq/nebula"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Slack Nebula may accept arbitrary source IP addresses "
}

GHSA-X96R-V3VC-578H

Vulnerability from github – Published: 2025-11-19 18:31 – Updated: 2025-12-02 18:30
VLAI
Details

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-19T18:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator\u0027s username and encrypted password.",
  "id": "GHSA-x96r-v3vc-578h",
  "modified": "2025-12-02T18:30:26Z",
  "published": "2025-11-19T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13315"
    },
    {
      "type": "WEB",
      "url": "https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XF23-WGV8-93V6

Vulnerability from github – Published: 2023-04-19 12:30 – Updated: 2024-04-04 03:35
VLAI
Details

Unprotected Alternate Channel vulnerability in debug console of GateManager allows system administrator to obtain sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-19T12:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Unprotected Alternate Channel vulnerability in debug console of  GateManager allows system administrator to obtain sensitive information.",
  "id": "GHSA-xf23-wgv8-93v6",
  "modified": "2024-04-04T03:35:09Z",
  "published": "2023-04-19T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0317"
    },
    {
      "type": "WEB",
      "url": "https://www.secomea.com/support/cybersecurity-advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG9F-QGVM-J933

Vulnerability from github – Published: 2025-11-30 06:30 – Updated: 2025-11-30 06:30
VLAI
Details

In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-30T05:16:08Z",
    "severity": "MODERATE"
  },
  "details": "In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date.",
  "id": "GHSA-xg9f-qgvm-j933",
  "modified": "2025-11-30T06:30:13Z",
  "published": "2025-11-30T06:30:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66432"
    },
    {
      "type": "WEB",
      "url": "https://docs.oxide.computer/security/advisories/20251117-1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oxidecomputer/omicron/compare/01bb875...ec069f0"
    },
    {
      "type": "WEB",
      "url": "https://oxide.computer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJWM-4PFW-49G2

Vulnerability from github – Published: 2025-08-03 03:30 – Updated: 2025-08-03 03:30
VLAI
Details

In iperf before 3.19.1, net.c has a buffer overflow when --skip-rx-copy is used (for MSG_TRUNC in recv).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-03T02:15:37Z",
    "severity": "HIGH"
  },
  "details": "In iperf before 3.19.1, net.c has a buffer overflow when --skip-rx-copy is used (for MSG_TRUNC in recv).",
  "id": "GHSA-xjwm-4pfw-49g2",
  "modified": "2025-08-03T03:30:30Z",
  "published": "2025-08-03T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54351"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esnet/iperf/commit/969b7f70c447513e92c9798f22e82b40ebc53bf0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esnet/iperf/releases/tag/3.19.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

No CAPEC attack patterns related to this CWE.