CVE-2023-23762: 
GitHub Enterprise Server vulnerability analysis and mitigation

An incorrect comparison vulnerability (CVE-2023-23762) was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.9 and was fixed in versions 3.4.18, 3.5.15, 3.6.11, 3.7.8, and 3.8.1. This vulnerability was reported through the GitHub Bug Bounty program (NVD, GitHub Release Notes).

The vulnerability is classified as CWE-697 (Incorrect Comparison) and received a CVSS v3.1 base score of 5.3 (MEDIUM) from NVD with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N. GitHub's own assessment rated it at 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N (NVD).

The vulnerability could allow an attacker to perform commit smuggling by displaying an incorrect diff. To exploit this vulnerability, an attacker would need write access to the repository and be able to correctly guess the target branch before it's created by the code maintainer (NVD).

The vulnerability has been fixed in multiple GitHub Enterprise Server versions: 3.4.18, 3.5.15, 3.6.11, 3.7.8, and 3.8.1. Organizations should upgrade to these patched versions or later to mitigate the vulnerability (GitHub Release Notes).