CVE-2023-23765

Summary

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the GitHub Bug Bounty Program https://bounty.github.com/ .

Affected Software

VendorProductVersion RangeStatus
GitHubEnterprise Server3.6.0 < 3.6.16affected
GitHubEnterprise Server3.7.0 < 3.7.13affected
GitHubEnterprise Server3.8.0 < 3.8.6affected
GitHubEnterprise Server3.9.0 < 3.9.1affected

Weaknesses

  • CWE-697: CWE-697 Incorrect Comparison

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References