6.5

CVE-2023-23765

EPSS 0.08%
Veröffentlicht 30.08.2023 23:15:08
Zuletzt bearbeitet 21.11.2024 07:46:47
Quelle product-cna@github.com
CVE-Watchlists
Login
Unerledigt
Login

Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the  GitHub Bug Bounty Program https://bounty.github.com/ .

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 4 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Github ≫ Enterprise Server Version >= 3.6.0 < 3.6.16

Github ≫ Enterprise Server Version >= 3.7.0 < 3.7.13

Github ≫ Enterprise Server Version >= 3.8.0 < 3.8.6

Github ≫ Enterprise Server Version3.9.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.226

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
product-cna@github.com	4.8	0.5	4.2	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:N

CWE-697 Incorrect Comparison

The product compares two entities in a security-relevant context, but the comparison is incorrect.

https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.1

Release Notes

https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.16

Release Notes

https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.13

Release Notes

https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.9

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2023-23765

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-23765

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-23765

EUVD