CWE-501
AllowedTrust Boundary Violation
Abstraction: Base · Status: Draft
The product mixes trusted and untrusted data in the same data structure or structured message.
50 vulnerabilities reference this CWE, most recent first.
CVE-2020-15096 (GCVE-0-2020-15096)
Vulnerability from cvelistv5 – Published: 2020-07-07 00:10 – Updated: 2024-08-04 13:08- CWE-501 - Trust Boundary Violation
| URL | Tags |
|---|---|
| https://www.electronjs.org/releases/stable?page=3… | x_refsource_MISC |
| https://github.com/electron/electron/security/adv… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "electron",
"vendor": "electron",
"versions": [
{
"status": "affected",
"version": "\u003c 6.1.1"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.2.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.4"
},
{
"status": "affected",
"version": "\u003e=9.0.0-beta.0, \u003c 9.0.0-beta.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using \"contextIsolation\" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "CWE-501 Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-07T00:10:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg"
}
],
"source": {
"advisory": "GHSA-6vrv-94jv-crrg",
"discovery": "UNKNOWN"
},
"title": "Context isolation bypass via Promise in Electron",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15096",
"STATE": "PUBLIC",
"TITLE": "Context isolation bypass via Promise in Electron"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "electron",
"version": {
"version_data": [
{
"version_value": "\u003c 6.1.1"
},
{
"version_value": "\u003e= 7.0.0, \u003c 7.2.4"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.2.4"
},
{
"version_value": "\u003e=9.0.0-beta.0, \u003c 9.0.0-beta.21"
}
]
}
}
]
},
"vendor_name": "electron"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using \"contextIsolation\" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-501 Trust Boundary Violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824",
"refsource": "MISC",
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
},
{
"name": "https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg",
"refsource": "CONFIRM",
"url": "https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg"
}
]
},
"source": {
"advisory": "GHSA-6vrv-94jv-crrg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15096",
"datePublished": "2020-07-07T00:10:13.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-4077 (GCVE-0-2020-4077)
Vulnerability from cvelistv5 – Published: 2020-07-07 00:05 – Updated: 2024-08-04 07:52- CWE-501 - Trust Boundary Violation
| URL | Tags |
|---|---|
| https://github.com/electron/electron/security/adv… | x_refsource_CONFIRM |
| https://www.electronjs.org/releases/stable?page=3… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/electron/electron/security/advisories/GHSA-h9jc-284h-533g"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "electron",
"vendor": "electron",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0-beta.0, \u003c= 9.0.0-beta.20"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.4"
},
{
"status": "affected",
"version": "\u003c 7.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "CWE-501 Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-07T00:05:16.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/electron/electron/security/advisories/GHSA-h9jc-284h-533g"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
}
],
"source": {
"advisory": "GHSA-h9jc-284h-533g",
"discovery": "UNKNOWN"
},
"title": "Context isolation bypass via contextBridge in Electron",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-4077",
"STATE": "PUBLIC",
"TITLE": "Context isolation bypass via contextBridge in Electron"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "electron",
"version": {
"version_data": [
{
"version_value": "\u003e= 9.0.0-beta.0, \u003c= 9.0.0-beta.20"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.2.4"
},
{
"version_value": "\u003c 7.2.4"
}
]
}
}
]
},
"vendor_name": "electron"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-501 Trust Boundary Violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/electron/electron/security/advisories/GHSA-h9jc-284h-533g",
"refsource": "CONFIRM",
"url": "https://github.com/electron/electron/security/advisories/GHSA-h9jc-284h-533g"
},
{
"name": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824",
"refsource": "MISC",
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
}
]
},
"source": {
"advisory": "GHSA-h9jc-284h-533g",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-4077",
"datePublished": "2020-07-07T00:05:16.000Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T07:52:20.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-4076 (GCVE-0-2020-4076)
Vulnerability from cvelistv5 – Published: 2020-07-07 00:05 – Updated: 2024-08-04 07:52- CWE-501 - Trust Boundary Violation
| URL | Tags |
|---|---|
| https://www.electronjs.org/releases/stable?page=3… | x_refsource_MISC |
| https://github.com/electron/electron/security/adv… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "electron",
"vendor": "electron",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0-beta.0, \u003c= 9.0.0-beta.20"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.2.4"
},
{
"status": "affected",
"version": "\u003c 7.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "CWE-501 Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-07T00:05:21.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79"
}
],
"source": {
"advisory": "GHSA-m93v-9qjc-3g79",
"discovery": "UNKNOWN"
},
"title": "Context isolation bypass via leaked cross-context objects in Electron",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-4076",
"STATE": "PUBLIC",
"TITLE": "Context isolation bypass via leaked cross-context objects in Electron"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "electron",
"version": {
"version_data": [
{
"version_value": "\u003e= 9.0.0-beta.0, \u003c= 9.0.0-beta.20"
},
{
"version_value": "\u003e= 8.0.0, \u003c 8.2.4"
},
{
"version_value": "\u003c 7.2.4"
}
]
}
}
]
},
"vendor_name": "electron"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-501 Trust Boundary Violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824",
"refsource": "MISC",
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
},
{
"name": "https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79",
"refsource": "CONFIRM",
"url": "https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79"
}
]
},
"source": {
"advisory": "GHSA-m93v-9qjc-3g79",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-4076",
"datePublished": "2020-07-07T00:05:21.000Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T07:52:20.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0035 (GCVE-0-2019-0035)
Vulnerability from cvelistv5 – Published: 2019-04-10 20:13 – Updated: 2024-09-16 17:47- CWE-501 - Trust Boundary Violation
| URL | Tags |
|---|---|
| https://kb.juniper.net/JSA10924 | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
15.1 , < 15.1F6-S12, 15.1R7-S3
(custom)
Affected: 15.1X49 , < 15.1X49-D160 (custom) Affected: 15.1X53 , < 15.1X53-D236, 15.1X53-D496, 15.1X53-D68 (custom) Affected: 16.1 , < 16.1R3-S10, 16.1R6-S6, 16.1R7-S3 (custom) Affected: 16.1X65 , < 16.1X65-D49 (custom) Affected: 16.2 , < 16.2R2-S8 (custom) Affected: 17.1 , < 17.1R2-S10, 17.1R3 (custom) Affected: 17.2 , < 17.2R1-S8, 17.2R3-S1 (custom) Affected: 17.3 , < 17.3R3-S3 (custom) Affected: 17.4 , < 17.4R1-S6, 17.4R2-S2 (custom) Affected: 18.1 , < 18.1R2-S4, 18.1R3-S3 (custom) Affected: 18.2 , < 18.2R2 (custom) Affected: 18.2X75 , < 18.2X75-D40 (custom) Affected: 18.3 , < 18.3R1-S2 (custom) Unaffected: all , < 15.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:37:07.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.juniper.net/JSA10924"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "15.1F6-S12, 15.1R7-S3",
"status": "affected",
"version": "15.1",
"versionType": "custom"
},
{
"lessThan": "15.1X49-D160",
"status": "affected",
"version": "15.1X49",
"versionType": "custom"
},
{
"lessThan": "15.1X53-D236, 15.1X53-D496, 15.1X53-D68",
"status": "affected",
"version": "15.1X53",
"versionType": "custom"
},
{
"lessThan": "16.1R3-S10, 16.1R6-S6, 16.1R7-S3",
"status": "affected",
"version": "16.1",
"versionType": "custom"
},
{
"lessThan": "16.1X65-D49",
"status": "affected",
"version": "16.1X65",
"versionType": "custom"
},
{
"lessThan": "16.2R2-S8",
"status": "affected",
"version": "16.2",
"versionType": "custom"
},
{
"lessThan": "17.1R2-S10, 17.1R3",
"status": "affected",
"version": "17.1",
"versionType": "custom"
},
{
"lessThan": "17.2R1-S8, 17.2R3-S1",
"status": "affected",
"version": "17.2",
"versionType": "custom"
},
{
"lessThan": "17.3R3-S3",
"status": "affected",
"version": "17.3",
"versionType": "custom"
},
{
"lessThan": "17.4R1-S6, 17.4R2-S2",
"status": "affected",
"version": "17.4",
"versionType": "custom"
},
{
"lessThan": "18.1R2-S4, 18.1R3-S3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThan": "18.2R2",
"status": "affected",
"version": "18.2",
"versionType": "custom"
},
{
"lessThan": "18.2X75-D40",
"status": "affected",
"version": "18.2X75",
"versionType": "custom"
},
{
"lessThan": "18.3R1-S2",
"status": "affected",
"version": "18.3",
"versionType": "custom"
},
{
"lessThan": "15.1",
"status": "unaffected",
"version": "all",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Administrators can disable root login connections to the console, and if running a fixed release, restrict single-user mode password recovery via the following configuration command:\n\n user@host# set system ports console insecure"
}
],
"datePublic": "2019-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When \"set system ports console insecure\" is enabled, root login is disallowed for Junos OS as expected. However, the root password can be changed using \"set system root-authentication plain-text-password\" on systems booted from an OAM (Operations, Administration, and Maintenance) volume, leading to a possible administrative bypass with physical access to the console. OAM volumes (e.g. flash drives) are typically instantiated as /dev/gpt/oam, or /oam for short. Password recovery, changing the root password from a console, should not have been allowed from an insecure console. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D68; 16.1 versions prior to 16.1R3-S10, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S8; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S3; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S2. This issue does not affect Junos OS releases prior to 15.1."
}
],
"exploits": [
{
"lang": "en",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "CWE-501 Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-10T20:13:51.000Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.juniper.net/JSA10924"
}
],
"solutions": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: Junos OS 15.1F6-S12, 15.1R7-S3, 15.1X49-D160, 15.1X53-D236, 15.1X53-D496, 15.1X53-D68, 16.1R3-S10, 16.1R6-S6, 16.1R7-S3, 16.1X65-D49, 16.2R2-S8, 17.1R2-S10, 17.1R3, 17.2R1-S8, 17.2R3-S1, 17.3R3-S3, 17.4R1-S6, 17.4R2-S2, 18.1R2-S4, 18.1R3-S3, 18.2R2, 18.2X75-D40, 18.3R1-S2, 18.4R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA10924",
"defect": [
"1368998"
],
"discovery": "INTERNAL"
},
"title": "Junos OS: \u0027set system ports console insecure\u0027 allows root password recovery on OAM volumes",
"workarounds": [
{
"lang": "en",
"value": "Limit physical access to the recovery console to only trusted administrators."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "sirt@juniper.net",
"DATE_PUBLIC": "2019-04-10T16:00:00.000Z",
"ID": "CVE-2019-0035",
"STATE": "PUBLIC",
"TITLE": "Junos OS: \u0027set system ports console insecure\u0027 allows root password recovery on OAM volumes"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Junos OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "15.1",
"version_value": "15.1F6-S12, 15.1R7-S3"
},
{
"version_affected": "\u003c",
"version_name": "15.1X49",
"version_value": "15.1X49-D160"
},
{
"version_affected": "\u003c",
"version_name": "15.1X53",
"version_value": "15.1X53-D236, 15.1X53-D496, 15.1X53-D68"
},
{
"version_affected": "\u003c",
"version_name": "16.1",
"version_value": "16.1R3-S10, 16.1R6-S6, 16.1R7-S3"
},
{
"version_affected": "\u003c",
"version_name": "16.1X65",
"version_value": "16.1X65-D49"
},
{
"version_affected": "\u003c",
"version_name": "16.2",
"version_value": "16.2R2-S8"
},
{
"version_affected": "\u003c",
"version_name": "17.1",
"version_value": "17.1R2-S10, 17.1R3"
},
{
"version_affected": "\u003c",
"version_name": "17.2",
"version_value": "17.2R1-S8, 17.2R3-S1"
},
{
"version_affected": "\u003c",
"version_name": "17.3",
"version_value": "17.3R3-S3"
},
{
"version_affected": "\u003c",
"version_name": "17.4",
"version_value": "17.4R1-S6, 17.4R2-S2"
},
{
"version_affected": "\u003c",
"version_name": "18.1",
"version_value": "18.1R2-S4, 18.1R3-S3"
},
{
"version_affected": "\u003c",
"version_name": "18.2",
"version_value": "18.2R2"
},
{
"version_affected": "\u003c",
"version_name": "18.2X75",
"version_value": "18.2X75-D40"
},
{
"version_affected": "\u003c",
"version_name": "18.3",
"version_value": "18.3R1-S2"
},
{
"version_affected": "!\u003c",
"version_name": "all",
"version_value": "15.1"
}
]
}
}
]
},
"vendor_name": "Juniper Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "Administrators can disable root login connections to the console, and if running a fixed release, restrict single-user mode password recovery via the following configuration command:\n\n user@host# set system ports console insecure"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When \"set system ports console insecure\" is enabled, root login is disallowed for Junos OS as expected. However, the root password can be changed using \"set system root-authentication plain-text-password\" on systems booted from an OAM (Operations, Administration, and Maintenance) volume, leading to a possible administrative bypass with physical access to the console. OAM volumes (e.g. flash drives) are typically instantiated as /dev/gpt/oam, or /oam for short. Password recovery, changing the root password from a console, should not have been allowed from an insecure console. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D68; 16.1 versions prior to 16.1R3-S10, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S8; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S3; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S2. This issue does not affect Junos OS releases prior to 15.1."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-501 Trust Boundary Violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.juniper.net/JSA10924",
"refsource": "CONFIRM",
"url": "https://kb.juniper.net/JSA10924"
}
]
},
"solution": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: Junos OS 15.1F6-S12, 15.1R7-S3, 15.1X49-D160, 15.1X53-D236, 15.1X53-D496, 15.1X53-D68, 16.1R3-S10, 16.1R6-S6, 16.1R7-S3, 16.1X65-D49, 16.2R2-S8, 17.1R2-S10, 17.1R3, 17.2R1-S8, 17.2R3-S1, 17.3R3-S3, 17.4R1-S6, 17.4R2-S2, 18.1R2-S4, 18.1R3-S3, 18.2R2, 18.2X75-D40, 18.3R1-S2, 18.4R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA10924",
"defect": [
"1368998"
],
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Limit physical access to the recovery console to only trusted administrators."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2019-0035",
"datePublished": "2019-04-10T20:13:51.292Z",
"dateReserved": "2018-10-11T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:47:37.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-227W-WV4J-67H4
Vulnerability from github – Published: 2022-02-09 22:30 – Updated: 2026-01-22 20:53Impact
This affects all Artemis users who test Java assignments. Ares is not required. Students code that gets automatically tested can run arbitrary code in the container, or arbitrary code on the machine of an assessor in case of manual correction.
Patches
The problem cannot be resolved easily in Ares itself. Use the Maven Enforcer Plugin as follows:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>enforce-no-student-code-in-trusted-packages</id>
<phase>process-classes</phase>
<goals>
<goal>enforce</goal>
</goals>
</execution>
</executions>
<configuration>
<rules>
<requireFilesDontExist>
<files>
<!-- ADD HERE THE RULES ARES TELLS YOU ARE MISSING -->
</files>
</requireFilesDontExist>
</rules>
</configuration>
</plugin>
This fails the build if student classes reside in such packages that Ares trusts. Trusted packages added in Ares using @AddTrustedPackage should be added as well.
For more information
If you have any questions or comments about this advisory: * Open a discussion https://github.com/ls1intum/Ares/discussions * Open an issue in https://github.com/ls1intum/Ares/issues * Email us, see https://github.com/ls1intum/Ares/security/policy
References
See the assignment of Julius that passes the tests in TUM Artemis course: "Test - Praktikum: Grundlagen der Programmierung (Testkurs für Tutoren) - Security Tests" (if that still exists in 2022).
Also see #15 for almost the same problem.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "de.tum.in.ase:artemis-java-test-sandbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23682"
],
"database_specific": {
"cwe_ids": [
"CWE-501",
"CWE-653"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-09T22:30:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThis affects all Artemis users who test Java assignments. **Ares is not required.**\nStudents code that gets automatically tested can run arbitrary code in the container,\nor arbitrary code on the machine of an assessor in case of manual correction.\n\n### Patches\nThe problem cannot be resolved easily in Ares itself. Use the Maven Enforcer Plugin as follows:\n\n```xml\n\u003cplugin\u003e\n \u003cgroupId\u003eorg.apache.maven.plugins\u003c/groupId\u003e\n \u003cartifactId\u003emaven-enforcer-plugin\u003c/artifactId\u003e\n \u003cversion\u003e3.0.0\u003c/version\u003e\n \u003cexecutions\u003e\n \u003cexecution\u003e\n \u003cid\u003eenforce-no-student-code-in-trusted-packages\u003c/id\u003e\n \u003cphase\u003eprocess-classes\u003c/phase\u003e\n \u003cgoals\u003e\n \u003cgoal\u003eenforce\u003c/goal\u003e\n \u003c/goals\u003e\n \u003c/execution\u003e\n \u003c/executions\u003e\n \u003cconfiguration\u003e\n \u003crules\u003e\n \u003crequireFilesDontExist\u003e\n \u003cfiles\u003e\n \u003c!-- ADD HERE THE RULES ARES TELLS YOU ARE MISSING --\u003e\n \u003c/files\u003e\n \u003c/requireFilesDontExist\u003e\n \u003c/rules\u003e\n \u003c/configuration\u003e\n\u003c/plugin\u003e\n```\n\nThis fails the build if student classes reside in such packages that Ares trusts. Trusted packages added in Ares using `@AddTrustedPackage` should be added as well.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion https://github.com/ls1intum/Ares/discussions\n* Open an issue in https://github.com/ls1intum/Ares/issues\n* Email us, see https://github.com/ls1intum/Ares/security/policy\n\n### References\nSee the assignment of Julius that passes the tests in TUM Artemis course: \"Test - Praktikum: Grundlagen der Programmierung (Testkurs f\u00fcr Tutoren) - Security Tests\" (if that still exists in 2022).\n\nAlso see #15 for almost the same problem.",
"id": "GHSA-227w-wv4j-67h4",
"modified": "2026-01-22T20:53:41Z",
"published": "2022-02-09T22:30:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ls1intum/Ares/security/advisories/GHSA-227w-wv4j-67h4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23682"
},
{
"type": "WEB",
"url": "https://github.com/ls1intum/Ares/issues/15"
},
{
"type": "PACKAGE",
"url": "https://github.com/ls1intum/Ares"
},
{
"type": "WEB",
"url": "https://github.com/ls1intum/Ares/releases/tag/1.8.0"
},
{
"type": "WEB",
"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-227w-wv4j-67h4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Class Loading Vulnerability in Artemis"
}
GHSA-22W6-C8H9-6MX7
Vulnerability from github – Published: 2026-03-31 18:31 – Updated: 2026-03-31 18:31NVIDIA Jetson Linux has a vulnerability in initrd, where the nvluks trusted application is not disabled. A successful exploit of this vulnerability might lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-24153"
],
"database_specific": {
"cwe_ids": [
"CWE-501"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-31T17:16:30Z",
"severity": "MODERATE"
},
"details": "NVIDIA Jetson Linux has a vulnerability in initrd, where the nvluks trusted application is not disabled. A successful exploit of this vulnerability might lead to information disclosure.",
"id": "GHSA-22w6-c8h9-6mx7",
"modified": "2026-03-31T18:31:31Z",
"published": "2026-03-31T18:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24153"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5797"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24153"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-36JR-8W83-WR8Q
Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30Visual Studio Code Python Extension Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-49050"
],
"database_specific": {
"cwe_ids": [
"CWE-501"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T18:15:45Z",
"severity": "HIGH"
},
"details": "Visual Studio Code Python Extension Remote Code Execution Vulnerability",
"id": "GHSA-36jr-8w83-wr8q",
"modified": "2024-11-12T18:30:59Z",
"published": "2024-11-12T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49050"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49050"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5R25-P9F2-W2XV
Vulnerability from github – Published: 2025-02-19 18:32 – Updated: 2026-03-25 00:31A flaw was found in grub2. Grub's dump command is not blocked when grub is in lockdown mode, which allows the user to read any memory information, and an attacker may leverage this in order to extract signatures, salts, and other sensitive information from the memory.
{
"affected": [],
"aliases": [
"CVE-2025-1118"
],
"database_specific": {
"cwe_ids": [
"CWE-501"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-19T18:15:24Z",
"severity": "MODERATE"
},
"details": "A flaw was found in grub2. Grub\u0027s dump command is not blocked when grub is in lockdown mode, which allows the user to read any memory information, and an attacker may leverage this in order to extract signatures, salts, and other sensitive information from the memory.",
"id": "GHSA-5r25-p9f2-w2xv",
"modified": "2026-03-25T00:31:11Z",
"published": "2025-02-19T18:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1118"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16154"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-1118"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2346137"
},
{
"type": "WEB",
"url": "https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6VRV-94JV-CRRG
Vulnerability from github – Published: 2020-07-07 00:01 – Updated: 2021-01-07 23:48Impact
Apps using contextIsolation are affected.
This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.218.2.47.2.46.1.11
For more information
If you have any questions or comments about this advisory: * Email us at security@electronjs.org
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15096"
],
"database_specific": {
"cwe_ids": [
"CWE-501"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-06T23:55:38Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nApps using `contextIsolation` are affected.\n\nThis is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.\n\n### Workarounds\nThere are no app-side workarounds, you must update your Electron version to be protected.\n\n### Fixed Versions\n* `9.0.0-beta.21`\n* `8.2.4`\n* `7.2.4`\n* `6.1.11`\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [security@electronjs.org](mailto:security@electronjs.org)",
"id": "GHSA-6vrv-94jv-crrg",
"modified": "2021-01-07T23:48:19Z",
"published": "2020-07-07T00:01:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15096"
},
{
"type": "WEB",
"url": "https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Context isolation bypass via Promise in Electron"
}
GHSA-7328-G372-24VF
Vulnerability from github – Published: 2026-01-13 15:37 – Updated: 2026-01-15 12:30Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7.
{
"affected": [],
"aliases": [
"CVE-2026-0886"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-501"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T14:16:39Z",
"severity": "MODERATE"
},
"details": "Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox \u003c 147, Firefox ESR \u003c 115.32, and Firefox ESR \u003c 140.7.",
"id": "GHSA-7328-g372-24vf",
"modified": "2026-01-15T12:30:26Z",
"published": "2026-01-13T15:37:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0886"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2005658"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-01"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-02"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-03"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-04"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.