Adobe Experience Manager writable JCR nodes via querybuilder
Description
Adobe Experience Manager (AEM) is an enterprise content management solution for building websites, mobile apps, and forms.
This vulnerability exposes writable Java Content Repository (JCR) nodes through the querybuilder API endpoint. The querybuilder endpoint incorrectly reveals JCR nodes where unauthorized or low-privileged users have write permissions, allowing attackers to enumerate misconfigured access controls within the content repository.
Remediation
Apply the latest Adobe Experience Manager security hotfixes immediately to address this vulnerability. Follow these steps to remediate:<br/><br/>1. Review Adobe Security Bulletin APSB25-90 to identify the appropriate hotfix for your AEM version<br/>2. Download and install the security hotfix package through the AEM Package Manager<br/>3. After applying the hotfix, audit your JCR repository permissions using the Access Control Management tools to identify and remediate overly permissive write access<br/>4. Implement the principle of least privilege by restricting write permissions to only necessary user groups and service accounts<br/>5. Disable or restrict access to the querybuilder endpoint if it is not required for your application's functionality<br/>6. Monitor AEM access logs for suspicious querybuilder API usage patterns that may indicate exploitation attempts<br/><br/>For additional hardening, consider implementing a Web Application Firewall (WAF) rule to restrict querybuilder endpoint access to authorized IP addresses or authenticated users only.