Making QueryBuilderFeedServlet private

Question

After doing a vulnerability scan we found the following vulnerability. How can I make the page not publicly accessible? It doesn't even mention what the page address is for this. I'm trying to find references to the servlet right now but am having a hard time.

Adobe Experience Manager QueryBuilderFeedServlet page is publicly accessible. Sensitive information might be exposed via AEM's QueryBuilderFeedServlet.

Saravanan_Dharmaraj · Accepted Answer

@kerryu1 Please check the below post which has the similar query

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/should-not-respond-to-get-bin-querybuilder-feed-css-with-200/m-p/326310

you can try like this in your dispatcher filter rules, "wknd" is sample site

##This rule must be the last rule to block content grabbing in all paths
/9997 { /type "deny" /url "/content/dam/*" /suffix "*/bin/querybuilder.json*"}
/9998 { /type "deny" /url "/content/wknd/*" /suffix "*/bin/querybuilder.json*"}

Kerryu1 · Answer

Update: I found the feed to be accessible via '/bin/querybuilder.feed' url. What would be the best approach to making this private? I don't know if it's a crucial endpoint for end users or not as well.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded