Vulnerability Details : CVE-2023-23766
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.6.17, 3.7.15, 3.8.8, 3.9.3, and 3.10.1. This vulnerability was reported via the GitHub Bug Bounty program.
Products affected by CVE-2023-23766
- cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:github:enterprise_server:3.10.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-23766
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-23766
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | |
4.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N |
0.9
|
3.6
|
GitHub, Inc. (Products Only) |
CWE ids for CVE-2023-23766
-
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Assigned by:
- nvd@nist.gov (Primary)
- product-cna@github.com (Secondary)
References for CVE-2023-23766
-
https://docs.github.com/enterprise-server@3.7/admin/release-notes#3.7.15
Release notes - GitHub Enterprise Server 3.7 DocsRelease Notes
-
https://docs.github.com/enterprise-server@3.10/admin/release-notes#3.10.1
Release notes - GitHub Enterprise Server 3.10 DocsRelease Notes
-
https://docs.github.com/enterprise-server@3.8/admin/release-notes#3.8.8
Release notes - GitHub Enterprise Server 3.8 DocsRelease Notes
-
https://docs.github.com/enterprise-server@3.9/admin/release-notes#3.9.3
Release notes - GitHub Enterprise Server 3.9 DocsRelease Notes
-
https://docs.github.com/enterprise-server@3.6/admin/release-notes#3.6.17
Release notes - GitHub Enterprise Server 3.6 DocsRelease Notes
Jump to