Title: IP access control bypass in OpenAsset Digital Asset Management by OpenAsset
Discovery: Jack Misiura on behalf of The Missing Link Security
The application does not correctly determine the HTTP request's originating IP address, allowing attackers to spoof it using X-Forwarded-For directive in the header. By supplying localhost address such as 127.0.0.1, attackers can effectively bypass all IP address based access controls configured for the software.
Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)
Fixed in: 12.0.20 (Cloud) 11.4.10 (On-Premise)
OpenAsset would like to thank Jack Misiura for reporting this vulnerability.