Weaknesses
NodeZero's identifies and surfaces many weaknesses that it finds during a pentest. These weaknesses
are identified by a Common Vulnerabilities and Exposures (CVE) identifier (e.g. CVE-2021-44228), or a Horizon3.ai weakness
identifier (e.g. H3-2022-0001).
This page provides a reference for Horizon3.ai Weaknesses identified by NodeZero. For information on CVEs identified by NodeZero, please reference the official CVE website maintained by MITRE.
| Weakness ID | Name |
|---|---|
| H3-2020-0001 | Remote Desktop Username Disclosure |
| H3-2020-0002 | Anonymous Access to ZooKeeper API |
| H3-2020-0003 | Anonymous Access to Printer using PJL or PS |
| H3-2020-0004 | Zone Transfer Allowed to Any Server |
| H3-2020-0005 | Anonymous FTP Enabled |
| H3-2020-0006 | LDAP Null Bind Allowed |
| H3-2020-0007 | SMB Null Session Allowed |
| H3-2020-0008 | Guest Account Enabled |
| H3-2020-0009 | Weak NFS Export Permissions |
| H3-2020-0010 | NFS UID/GID Manipulation Possible |
| H3-2020-0012 | LLMNR/NBT-NS Poisoning Possible |
| H3-2020-0014 | Weak or Default Credentials |
| H3-2020-0016 | Insecure IPMI Implementation |
| H3-2020-0017 | IPMI Cipher Zero Vulnerability |
| H3-2020-0018 | Fundamentally Insecure Protocols Detected |
| H3-2020-0021 | Unauthenticated Access to the Jenkins Script Console |
| H3-2020-0022 | Insecure Java JMX Configuration |
| H3-2020-0023 | Apache Hadoop YARN ResourceManager Unauthenticated Command Execution |
| H3-2020-0028 | FTP Directory Traversal Vulnerability |
| H3-2020-0030 | Android Debug Bridge (ADB) over TCP Enabled |
| H3-2021-0001 | Public Access to Amazon S3 Bucket |
| H3-2021-0002 | Subdomain Takeover |
| H3-2021-0003 | Unauthenticated Access to Sensitive Kubelet API Endpoints |
| H3-2021-0004 | Kubernetes Privileged Container Exposure |
| H3-2021-0005 | Unauthenticated Kubelet API Remote Code Execution Vulnerability |
| H3-2021-0006 | Unauthenticated Kubernetes API Server Access |
| H3-2021-0007 | Kubernetes Service Account Token Exposure |
| H3-2021-0008 | Unauthenticated Etcd Access |
| H3-2021-0009 | Unauthenticated Docker Registry API Access |
| H3-2021-0010 | Unauthenticated Docker Engine API Access |
| H3-2021-0011 | Kerberos Pre-Authentication Disabled |
| H3-2021-0012 | Weak or Default Credentials - FTP |
| H3-2021-0013 | Weak or Default Credentials - Telnet |
| H3-2021-0014 | Weak or Default Credentials - SSH |
| H3-2021-0015 | Weak or Default Credentials - SNMP |
| H3-2021-0016 | Weak or Default Credentials - Microsoft SQL Server |
| H3-2021-0017 | Weak or Default Credentials - MySQL |
| H3-2021-0018 | Weak or Default Credentials - Postgres |
| H3-2021-0019 | Weak or Default Credentials - Password Spray |
| H3-2021-0020 | Weak or Default Credentials - Cracked Credentials |
| H3-2021-0021 | Weak or Default Credentials - Web Applications |
| H3-2021-0022 | IPV6 DNS Hijacking Possible Using Mitm6 |
| H3-2021-0023 | Public Access to Azure Blob Storage Container |
| H3-2021-0024 | Dangling DNS Record |
| H3-2021-0029 | AWS Unrestricted Assume Role Access |
| H3-2021-0030 | SMB Signing Not Required |
| H3-2021-0031 | Public Access to Git Repository |
| H3-2021-0032 | Credential Reuse |
| H3-2021-0033 | mDNS Poisoning Possible |
| H3-2021-0034 | LLMNR Poisoning Possible |
| H3-2021-0035 | NBT-NS Poisoning Possible |
| H3-2021-0036 | Unauthenticated Access to Elasticsearch |
| H3-2021-0038 | Kerberoasting |
| H3-2021-0039 | Unrestricted Sudo Privileges |
| H3-2021-0040 | AWS Instance Metadata Service v1 Exposed |
| H3-2021-0042 | Credential Dumping - Security Account Manager (SAM) Database |
| H3-2021-0043 | Credential Dumping - Local Security Authority (LSA) Secrets |
| H3-2021-0044 | Credential Dumping - Local Security Authority Subsystem Service (LSASS) Memory |
| H3-2021-0045 | Credential Dumping - /etc/shadow File |
| H3-2021-0046 | Credential Dumping - Active Directory Services Database (NTDS) |
| H3-2022-0002 | Azure Multi-Factor Authentication Disabled |
| H3-2022-0003 | Remote Desktop Protocol (RDP) Port Exposed to the Internet |
| H3-2022-0004 | Server Message Block (SMB) Port Exposed to the Internet |
| H3-2022-0005 | Secure Socket Shell (SSH) Port Exposed to the Internet |
| H3-2022-0006 | Database Port Exposed to the Internet |
| H3-2022-0007 | Telnet Port Exposed to the Internet |
| H3-2022-0008 | File Transfer Protocol (FTP) Port Exposed to the Internet |
| H3-2022-0009 | Simple Network Management Protocol (SNMP) Port Exposed to the Internet |
| H3-2022-0010 | Risky Port Exposed to the Internet |
| H3-2022-0016 | Active Directory Certificate Services Misconfiguration Privilege Escalation - Subject Alternative Name |
| H3-2022-0017 | Active Directory Certificate Services Misconfiguration Privilege Escalation - Any Purpose or No (aka SubCA) EKU Misconfiguration |
| H3-2022-0018 | Active Directory Certificate Services Misconfigured Enrollment Agent Template |
| H3-2022-0019 | Active Directory Certificate Services Misconfigured Template Requires Enrollment Agent Signature |
| H3-2022-0020 | Active Directory Certificate Services Misconfigured Template Access Controls |
| H3-2022-0021 | Active Directory Certificate Services Domain Escalation via Vulnerable PKI AD Object Access Controls |
| H3-2022-0022 | Active Directory Certificate Services - EDITF_ATTRIBUTESUBJECTALTNAME2 flag set |
| H3-2022-0023 | Active Directory Certificate Services: Vulnerable Certificate Authority Access Control |
| H3-2022-0024 | Active Directory Certificate Services Misconfiguration: NTLM Relay to AD CS HTTP Endpoint |
| H3-2022-0033 | Unauthenticated Access to Jenkins People Directory |
| H3-2022-0041 | Symfony Profiler Enabled |
| H3-2022-0067 | Weak or Default Credentials - MongoDB |
| H3-2022-0069 | Web Directory Listing |
| H3-2022-0070 | Anonymous MongoDB Access |
| H3-2022-0074 | AWS Assume Role Access |
| H3-2022-0075 | Public-Facing Application Exposed with HTTP Basic Authentication |
| H3-2022-0076 | Unauthenticated AWS Cognito Role |
| H3-2022-0078 | Unauthenticated Gitlab User Enumeration |
| H3-2022-0079 | Credential Dumping - AWS Instance Metadata Service v2 |
| H3-2022-0080 | WordPress Unauthenticated User Enumeration |
| H3-2022-0082 | Exposed Kubernetes Version |
| H3-2022-0084 | Credential Reuse - Windows Local Administrator Accounts |
| H3-2022-0085 | Credential Reuse - Shared Windows Local User and Domain User Accounts |
| H3-2022-0086 | Domain User with Local Administrator Privileges |
| H3-2022-0087 | Password Reuse |
| H3-2022-0088 | Public Access to Amazon EC2 AMI |
| H3-2022-0089 | Public Access to Amazon EBS Snapshot |
| H3-2022-0090 | Public Access to Amazon RDS Snapshot |
| H3-2022-0093 | Weak or Default Credentials - Cracked Credentials from Active Directory Services Database (NTDS) |
| H3-2022-0095 | Password Reuse Found in Active Directory Services Database (NTDS) |
| H3-2023-0001 | Apache Superset Authentication Bypass Misconfiguration |
| H3-2023-0002 | Flask Authentication Bypass Misconfiguration |
| H3-2023-0003 | Pre-Windows 2000 Computer Set |
| H3-2023-0008 | AWS Multi-Factor Authentication Disabled |
| H3-2023-0009 | Kerberos Unconstrained Delegation |
| H3-2023-0010 | Kerberos Constrained Delegation |
| H3-2023-0019 | Credential Dumping - Data Protection API (DPAPI) Secrets |
| H3-2023-0020 | PaperCut File Upload Remote Code Execution Vulnerability |
| H3-2023-0021 | Phished Credential |
| H3-2023-0022 | PaperCut Arbitrary File Read and Deletion Vulnerability |
| H3-2023-0023 | Apache Solr Arbitrary File Read Vulnerability |
| H3-2023-0027 | NextGen Mirth Connect Remote Code Execution Vulnerability |
| H3-2023-0029 | Password in Active Directory User Attribute |
| H3-2023-0030 | Active Directory - User Password Not Required |
| H3-2024-0001 | AWS Privilege Escalation - iam:AttachUserPolicy |
| H3-2024-0002 | AWS Privilege Escalation - iam:PutUserPolicy |
| H3-2024-0003 | AWS Privilege Escalation - iam:AttachRolePolicy |
| H3-2024-0004 | AWS Privilege Escalation - iam:PutRolePolicy |
| H3-2024-0005 | AWS Privilege Escalation - iam:CreateAccessKey |
| H3-2024-0006 | AWS Privilege Escalation - iam:CreateLoginProfile |
| H3-2024-0007 | AWS Privilege Escalation - iam:UpdateLoginProfile |
| H3-2024-0008 | AWS Privilege Escalation - iam:UpdateAssumeRolePolicy |
| H3-2024-0009 | AWS Privilege Escalation - iam:CreatePolicyVersion |
| H3-2024-0010 | Microsoft Entra (AzureAD) Connect Credential Dumping |
| H3-2024-0011 | Microsoft Entra (AzureAD) - Over-Privileged Service Principal |
| H3-2024-0012 | Microsoft Entra (AzureAD) - Service Principal Takeover |
| H3-2024-0016 | AWS Privilege Escalation - iam:AttachGroupPolicy |
| H3-2024-0017 | AWS Privilege Escalation - iam:PutGroupPolicy |
| H3-2024-0018 | Redis Unauthenticated Access Vulnerability |
| H3-2024-0019 | Credential Dumping - Office365 Application Memory |
| H3-2024-0029 | Active Directory User has Entra Administrator Role |
| H3-2024-0030 | Traccar Device Image Upload Remote Code Execution Vulnerability |
| H3-2024-0032 | Traccar Self-Signup Enabled |
| H3-2024-0034 | NTLM Authentication Endpoint Exposed to the Internet |
| H3-2024-0035 | AWS Access Key Id Third Party Canary |
| H3-2024-0036 | Improper use of AWS Administrator Access |
| H3-2024-0037 | Azure Cloud Kerberos Trust Abuse |
| H3-2024-0038 | Microsoft Entra (AzureAD) - Entra Group Takeover |
| H3-2024-0039 | Microsoft Graph App Role Privilege Elevation |