Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

Making QueryBuilderFeedServlet private

Avatar

Level 2

After doing a vulnerability scan we found the following vulnerability. How can I make the page not publicly accessible? It doesn't even mention what the page address is for this. I'm trying to find references to the servlet right now but am having a hard time. 

 

Adobe Experience Manager QueryBuilderFeedServlet page is publicly accessible. Sensitive information might be exposed via AEM's QueryBuilderFeedServlet.

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@Kerryu1 Please check the below post which has the similar query

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/should-not-respond-to-get-...

 

you can try like this in your dispatcher filter rules, "wknd" is sample site

 

##This rule must be the last rule to block content grabbing in all paths
/9997 { /type "deny" /url "/content/dam/*" /suffix "*/bin/querybuilder.json*"}
/9998 { /type "deny" /url "/content/wknd/*" /suffix "*/bin/querybuilder.json*"}

  

View solution in original post

2 Replies

Avatar

Level 2

Update: I found the feed to be accessible via '/bin/querybuilder.feed' url. What would be the best approach to making this private? I don't know if it's a crucial endpoint for end users or not as well.

Avatar

Correct answer by
Community Advisor

@Kerryu1 Please check the below post which has the similar query

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/should-not-respond-to-get-...

 

you can try like this in your dispatcher filter rules, "wknd" is sample site

 

##This rule must be the last rule to block content grabbing in all paths
/9997 { /type "deny" /url "/content/dam/*" /suffix "*/bin/querybuilder.json*"}
/9998 { /type "deny" /url "/content/wknd/*" /suffix "*/bin/querybuilder.json*"}