ColdFusion must have the sample data directories removed.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-279051 | SRG-APP-000141-AS-000095 | APAS-CF-000275 | SV-279051r1171473_rule | 2025-12-19 | 1 |
| Description |
|---|
| ColdFusion is installed with directories that contain sample code, data, and services. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to ColdFusion and to those systems connected to ColdFusion. To alleviate this issue, sample code, data, and services must be deleted. |
| ℹ️ Check |
|---|
| 1. Locate each directory of the ColdFusion instances and observe their subdirectories. If the "db" subdirectory exists, this is a finding. If the "cfx" subdirectory exists, this is a finding. 2. From the Admin Console Landing Screen, navigate to Package Manager >> Packages. If the "gateway" subdirectory exists and the "eventgateways" package is not listed as installed, this is a finding. If the "gql" subdirectory exists and the "graphqlclient" package is not listed as installed, this is a finding. |
| ✔️ Fix |
|---|
| Delete all sample directories not referenced by an installed package in each ColdFusion instance directory. |