Adobe Experience Manager Sites & More

ashishkhadpe · 7/13/21

Hi All,

We are currently facing an issue of list of packages getting exposed without logging in on AEM.

For example if I hit the URL like http<s>://<host>:<port>/crx/packmgr/list.jsp, I can see the JSON response showing the complete details of packages installed.

Not sure if this is with AEM 6.5.8.

Any fix for this?

RajaShankar · 7/13/21

Hi @ashishkhadpe

This is a feature as part of http service interface for package management.

You can block it by using a custom filter. Please refer this thread same way you can block by implementing your own logic as part of servlet filter.

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-security-json-extensio...

Hope this helps.

Regards,

Rajashankar.R

View solution in original post

arunpatidar · 7/13/21

Hi,

I don't see this issue in AEM 6.5.7

can you try on the vanilla instance?

Arun Patidar

Shubham_borole · 7/13/21

Hi,

I don't see it on 6.5.8

This is the response for me. Doesn't look like an issue in 6.5.8

{"results":[],"total":0}

Could it be a difference in permissions for everyone group or anonymous user?

Ravi_Pampana · 7/13/21

Hi,

I tried in AEM 6.5 plain instance, AEM 6.5.6 and AEM 6.5.8 and don't see the packages list showing up without login. Make sure that you are not logged into publish instance in any other tab