ColdFusion must ensure that ColdFusion Package Manager (cfpm) packages are transmitted using encrypted protocols.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279097	SRG-APP-000440-AS-000167	APAS-CF-000895	SV-279097r1171591_rule	2025-12-19	1

Description
The cfpm is used to manage various packages and modules that extend the functionality of the ColdFusion server. If these packages are downloaded or transmitted over unencrypted channels, they are susceptible to interception and tampering by malicious actors. This can lead to the introduction of malicious code, unauthorized access, and other security breaches. By ensuring that cfpm packages are transmitted using encrypted protocols, such as HTTPS, the integrity and confidentiality of the packages are maintained. This practice helps protect the server from potential threats and ensures that only trusted and verified packages are installed.

Description

The cfpm is used to manage various packages and modules that extend the functionality of the ColdFusion server. If these packages are downloaded or transmitted over unencrypted channels, they are susceptible to interception and tampering by malicious actors. This can lead to the introduction of malicious code, unauthorized access, and other security breaches. By ensuring that cfpm packages are transmitted using encrypted protocols, such as HTTPS, the integrity and confidentiality of the packages are maintained. This practice helps protect the server from potential threats and ensures that only trusted and verified packages are installed.

ℹ️ Check
Verify Package Manager Settings. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. If any Site URL is configured with an "HTTP" , this is a finding.

✔️ Fix
Configure Package Manager Settings. 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Enter an "HTTPS" entry into each of the Site URL fields. 3. Select "Submit Changes".