CVE-2023-23766 — MEDIUM (4.5)

Q: How severe is CVE-2023-23766?

CVE-2023-23766 has been rated MEDIUM with a CVSS base score of 4.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-23766?

Check the references section above for vendor advisories and patch information. Affected products include: Github Enterprise Server.

Vulnerability Description

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.6.17, 3.7.15, 3.8.8, 3.9.3, and 3.10.1. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Score

4.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Github	Enterprise Server	< 3.6.17

Related Weaknesses (CWE)

CWE-697

References

https://docs.github.com/[email protected]/admin/release-notes#3.10.1Release Notes
https://docs.github.com/[email protected]/admin/release-notes#3.6.17Release Notes
https://docs.github.com/[email protected]/admin/release-notes#3.7.15Release Notes
https://docs.github.com/[email protected]/admin/release-notes#3.8.8Release Notes
https://docs.github.com/[email protected]/admin/release-notes#3.9.3Release Notes
https://docs.github.com/[email protected]/admin/release-notes#3.10.1Release Notes
https://docs.github.com/[email protected]/admin/release-notes#3.6.17Release Notes
https://docs.github.com/[email protected]/admin/release-notes#3.7.15Release Notes
https://docs.github.com/[email protected]/admin/release-notes#3.8.8Release Notes
https://docs.github.com/[email protected]/admin/release-notes#3.9.3Release Notes

FAQ

What is CVE-2023-23766?

CVE-2023-23766 is a vulnerability with a CVSS score of 4.5 (MEDIUM). An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would ...

How severe is CVE-2023-23766?

CVE-2023-23766 has been rated MEDIUM with a CVSS base score of 4.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-23766?

Check the references section above for vendor advisories and patch information. Affected products include: Github Enterprise Server.