We are currently facing an issue of list of packages getting exposed without logging in on AEM.
For example if I hit the URL like http<s>://<host>:<port>/crx/packmgr/list.jsp, I can see the JSON response showing the complete details of packages installed.
Not sure if this is with AEM 6.5.8.
Any fix for this?
This is a feature as part of http service interface for package management.
You can block it by using a custom filter. Please refer this thread same way you can block by implementing your own logic as part of servlet filter.
Hope this helps.
I tried in AEM 6.5 plain instance, AEM 6.5.6 and AEM 6.5.8 and don't see the packages list showing up without login. Make sure that you are not logged into publish instance in any other tab
I don't see it on 6.5.8
This is the response for me. Doesn't look like an issue in 6.5.8
Could it be a difference in permissions for everyone group or anonymous user?
I don't see this issue in AEM 6.5.7
can you try on the vanilla instance?