ColdFusion must store only encrypted representations of passwords.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279057	SRG-APP-000171-AS-000119	APAS-CF-000335	SV-279057r1171529_rule	2025-12-19	1

Description
Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When ColdFusion is responsible for creating or storing passwords, ColdFusion must enforce the storage of encrypted representations of passwords.

Description

Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When ColdFusion is responsible for creating or storing passwords, ColdFusion must enforce the storage of encrypted representations of passwords.

ℹ️ Check
Verify Proxy Settings. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If a "Proxy Host" is provided with a "Proxy Username" and "Proxy Password", this is a finding.

✔️ Fix
Configure Proxy Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Clear the "Proxy Host", Proxy UserName", and "Proxy Password" fields. 3. Select "Submit Changes".