Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling

CVE-2023-23765

4.8MEDIUM

Key Information

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 30 August 2023

Summary

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the GitHub Bug Bounty Program https://bounty.github.com/ .

Affected Version(s)

Enterprise Server < 3.6.16

Enterprise Server < 3.7.13

Enterprise Server < 3.8.6

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: 6.5 to: 4.8 - (MEDIUM)
Sep 27, 2024
Vulnerability published.
Aug 30, 2023
Vulnerability Reserved.
Jan 17, 2023

Collectors

NVD DatabaseMitre Database

Credit

inspector-amibitious