Impact
The GAO Electronic Protest Docketing System and the CBCA Electronic Docketing System allow password changes via the '/update-profile/N' API without authenticating the requester. A remote attacker who can reach this endpoint can set a new password for any user account. This results in credential compromise, enabling an attacker to gain unauthorized access to all resources protected by the affected systems and potentially expose sensitive data. The weakness is classified as CWE-306, an authentication bypass that undermines credential control.
Affected Systems
The vulnerability affects two U.S. federal systems: the Civilian Board of Contract Appeals Electronic Docketing System and the Government Accountability Office Electronic Protest Docketing System. No specific versioning information is provided, so all deployed instances are considered potentially vulnerable until a vendor patch is applied.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical severity. Exploit probability is not available from EPSS, and the vulnerability is not listed in the CISA KEV catalog, but the lack of authentication on a remote API endpoint represents a clear and straightforward attack path. A remote, unauthenticated attacker can exploit the flaw with minimal effort, making the risk high in environments where these systems are publicly reachable.
OpenCVE Enrichment