First published: Thu Jul 27 2023(Updated: )
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff within the GitHub pull request UI. To do so, an attacker would need write access to the repository. This vulnerability affected GitHub Enterprise Server versions 3.7.0 and above and was fixed in versions 3.7.9, 3.8.2, and 3.9.1. This vulnerability was reported via the GitHub Bug Bounty program.
Credit: product-cna@github.com product-cna@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
GitHub Enterprise Server | >=3.7.0<3.7.9 | |
GitHub Enterprise Server | >=3.8.0<3.8.2 | |
GitHub Enterprise Server | =3.9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-23764 is an incorrect comparison vulnerability in GitHub Enterprise Server that allows commit smuggling by displaying an incorrect diff within the GitHub pull request UI.
CVE-2023-23764 affects GitHub Enterprise Server version 3.9.0 and earlier.
CVE-2023-23764 has a severity rating of 7.1 (high).
To exploit CVE-2023-23764, an attacker would need write access to the repository on GitHub Enterprise Server.
Yes, fixes are available for CVE-2023-23764. It is recommended to update GitHub Enterprise Server to version 3.9.1 or apply the necessary patches mentioned in the release notes for versions 3.7.9 and 3.8.2.