Security vulnerability scan reports to disable anonymous access to "/ui/scripts/main.js" on ESXi Host UI
search cancel

Security vulnerability scan reports to disable anonymous access to "/ui/scripts/main.js" on ESXi Host UI

book

Article ID: 374416

calendar_today

Updated On:

Products

VMware vSphere ESXi 7.0

Issue/Introduction

ESXi Host Web client allows directory listing of /ui/scripts/main.js and is accessible to anonymous users and requires to be disabled/blocked

web program allows directory listing: /ui/scripts/main.js ("+n.name+" parameter)

Modify the web program such that it does not disclose directory contents.

 

Environment

VMware ESXi Host 7.x

Resolution

  • The main.js script is essential for the proper functioning of the UI, as it needs to be publicly accessible for the browser to request and load the necessary JavaScript files.
  • This behavior is consistent across both ESXi hosts and the vCenter UI. For reference, in the vCenter Client UI, the main.js file is also available anonymously at https://<vCenter-IP>/ui/static/resources/ng-next-app/main.js
  • The JavaScript (main.js bundle) is sent to the client-side, and therefore, no sensitive information should be embedded in those scripts.

 

Hence, we cannot disable or block the access to the /ui/scripts/main.js of Host/vCenter.

Powered by Wolken Software