Impact
The vulnerability arises from the lack of validation of X-Forwarded-For headers in the GAO EPDS and CBCA EDS authentication logic. By injecting arbitrary X-Forwarded-For values, an attacker with compromised administrator credentials can trick the system into believing the request originates from an allowed internal IP. This bypasses network access controls that rely on IP filtering and enables unauthorized use of the application’s administrative functionality. The flaw is a direct Access Control bypass identified as CWE-940.
Affected Systems
The affected services are the GAO Electronic Protest Docketing System (EPDS) and the CBCA Electronic Docketing System (EDS). The advisory does not enumerate specific software versions, so any existing installation that still uses the default authentication and header handling is vulnerable. These systems are typically deployed in government or contractor environments that enforce IP-based access policies.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker already holds administrative credentials, thus the attack surface is limited to compromised accounts. However, once credentialed, the attacker can modify the X-Forwarded-For header to override IP-based restrictions and gain remote access to otherwise restricted resources. The attack vector is likely remote over HTTP/HTTPS.
OpenCVE Enrichment