Cyber Resilience

CVE-2020-14372

High

Published: 03 March 2021

Published
03 March 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0145 81.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-14372 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Redhat Enterprise Linux Server Aus. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 18.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description…

more

Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gnu
grub2
≤ 2.06
redhat
enterprise linux
7.0, 8.0
redhat
enterprise linux server aus
7.2, 7.3, 7.4, 7.6, 7.7
redhat
enterprise linux server eus
7.6, 7.7, 8.1
redhat
enterprise linux server tus
7.4, 7.6, 7.7, 8.2
redhat
enterprise linux workstation
7.0
fedoraproject
fedora
33, 34
netapp
cloud backup
all versions
netapp
ontap select deploy administration utility
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-184

Spam filters rely on evolving blacklists, signatures, and heuristics of disallowed message patterns; keeping them updated per the control directly mitigates incomplete disallowed-input lists.

References