PT-2023-19187 · Github · Github Enterprise Server
Published
2023-04-07
·
Updated
2023-04-13
·
CVE-2023-23762
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.9
Description
An incorrect comparison issue was identified in GitHub Enterprise Server, allowing commit smuggling by displaying an incorrect diff. An attacker would need write access to the repository and correctly guess the target branch before it's created by the code maintainer.
Recommendations
For versions prior to 3.4.18, update to version 3.4.18.
For versions prior to 3.5.15, update to version 3.5.15.
For versions prior to 3.6.11, update to version 3.6.11.
For versions prior to 3.7.8, update to version 3.7.8.
For versions prior to 3.8.1, update to version 3.8.1.
As a temporary workaround, consider restricting write access to the repository to minimize the risk of exploitation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server