CVE-2023-23763 – Information disclosure in GitHub Enterprise Server leading to private repository leakage
https://notcve.org/view.php?id=CVE-2023-23763
An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program. Se ha identificado una vulnerabilidad de autorización/divulgación de información sensible en GitHub Enterprise Server que permitía a un fork conservar el acceso de lectura a un repositorio upstream después de cambiar su visibilidad a privada. Esta vulnerabilidad afectaba a todas las versiones de GitHub Enterprise Server anteriores a la 3.10.0 y se solucionó en las versiones 3.9.4, 3.8.9, 3.7.16 y 3.6.18. • https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.18-security-fixes https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.16-security-fixes https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.9-security-fixes https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.4-security-fixes • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVE-2023-23765 – Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling
https://notcve.org/view.php?id=CVE-2023-23765
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the GitHub Bug Bounty Program https://bounty.github.com/ . Se identificó una vulnerabilidad de comparación incorrecta en GitHub Enterprise Server que permitía el contrabando de commits mostrando un diff incorrecto en un Pull Request reabierto. Para explotar esta vulnerabilidad, un atacante necesitaría acceso de escritura al repositorio. • https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.16 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.13 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.9 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.1 • CWE-697: Incorrect Comparison •
CVE-2023-23764 – Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling
https://notcve.org/view.php?id=CVE-2023-23764
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff within the GitHub pull request UI. To do so, an attacker would need write access to the repository. This vulnerability affected GitHub Enterprise Server versions 3.7.0 and above and was fixed in versions 3.7.9, 3.8.2, and 3.9.1. This vulnerability was reported via the GitHub Bug Bounty program. • https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.9 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.2 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.1 • CWE-697: Incorrect Comparison •
CVE-2023-37463 – Quadratic complexity bugs may lead to a denial of service
https://notcve.org/view.php?id=CVE-2023-37463
cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12. • https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12 https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5 • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-36867 – Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-36867
Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36867 •