Impact
The vulnerability lies in the U.S. Government Accountability Office Electronic Protest Docketing System and the Civilian Board of Contract Appeals Electronic Docketing System, which unconditionally trust the client‑supplied "epds_role_id" request parameter. An authenticated user can supply a value that the servers treat as a privilege level, thereby elevating their own permissions without any verification. This flaw represents a classic privilege escalation flaw (CWE‑602) and allows a remote attacker to gain unauthorized access to functions normally restricted to higher‑privileged users.
Affected Systems
The affected systems are the EPDS used by the GAO and the EDS used by the CBCA. The only vendor information provided is the GAO for EPDS and the Civilian Board of Contract Appeals for EDS. No specific product versions are listed, so all current deployments of the EPDS and EDS without a patch are potentially vulnerable.
Risk and Exploitability
The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not available, but the lack of a listing in the CISA KEV catalog suggests no known widespread exploitation yet. The attack requires remote authenticated access, but once authenticated, an attacker can manipulate the role field and elevate privileges. This places the risk in the high category, with significant potential for unauthorized data access or modification if exploited.
OpenCVE Enrichment