ColdFusion must have any unused mappings removed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279045 | APAS-CF-000235 | SV-279045r1171287_rule | CCI-000381 | medium |
| Description | ||||
| ColdFusion mappings define virtual paths to physical directories that can be accessed by ColdFusion applications. If unused or unnecessary mappings are left configured, they can present an unmonitored and potentially exploitable entry point for attackers. These mappings may inadvertently expose internal files, application code, or sensitive resources that are not intended for public or application-level access. Attackers can leverage such mappings to bypass access controls, perform directory traversal attacks, or gain insight into the server's file structure. Removing unused mappings reduces the attack surface and eliminates access to unnecessary or insecure directories, supporting the principle of least functionality. | ||||
| STIG | Date | |||
| Adobe ColdFusion Security Technical Implementation Guide | 2025-12-19 | |||
Details
Check Text (C-279045r1171287_chk)
Verify Mappings.
1. From the Admin Console Landing Screen, navigate to Server Settings >> Mappings.
2. For each of the mappings defined, ask the administrator if the mapping is being used by any hosted applications.
If any of the mappings are not being used by the hosted applications, this is a finding.
Fix Text (F-83498r1171286_fix)
Delete unused mappings.
1. From the Admin Console Landing Screen, navigate to Server Settings >> Mappings.
2. Delete any mapping that is not being used by the hosted applications.