CVE-2023-23766: 
GitHub Enterprise Server vulnerability analysis and mitigation

An incorrect comparison vulnerability (CVE-2023-23766) was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. The vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.6.17, 3.7.15, 3.8.8, 3.9.3, and 3.10.1. This vulnerability was reported through the GitHub Bug Bounty program (NVD).

The vulnerability is classified as an incorrect comparison issue (CWE-697) that could be exploited when a pull request is re-opened. To exploit this vulnerability, an attacker would need write access to the repository. The severity is rated as MEDIUM with a CVSS v3.1 base score of 6.5 according to NVD, while GitHub's assessment rates it at 4.5 MEDIUM with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows commit smuggling through incorrect diff display in re-opened pull requests, potentially leading to unauthorized code modifications. The impact is primarily on the integrity of the code review process, though it requires the attacker to have write access to the repository (NVD).

The vulnerability has been patched in multiple GitHub Enterprise Server versions: 3.6.17, 3.7.15, 3.8.8, 3.9.3, and 3.10.1. Organizations should upgrade to these or later versions to mitigate the vulnerability (GitHub Release Notes).