ColdFusion must have the sample data directories removed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279051 | APAS-CF-000275 | SV-279051r1171473_rule | CCI-000381 | low |
| Description | ||||
| ColdFusion is installed with directories that contain sample code, data, and services. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to ColdFusion and to those systems connected to ColdFusion. To alleviate this issue, sample code, data, and services must be deleted. | ||||
| STIG | Date | |||
| Adobe ColdFusion Security Technical Implementation Guide | 2025-12-19 | |||
Details
Check Text (C-279051r1171473_chk)
1. Locate each directory of the ColdFusion instances and observe their subdirectories.
If the "db" subdirectory exists, this is a finding.
If the "cfx" subdirectory exists, this is a finding.
2. From the Admin Console Landing Screen, navigate to Package Manager >> Packages.
If the "gateway" subdirectory exists and the "eventgateways" package is not listed as installed, this is a finding.
If the "gql" subdirectory exists and the "graphqlclient" package is not listed as installed, this is a finding.
Fix Text (F-83504r1170926_fix)
Delete all sample directories not referenced by an installed package in each ColdFusion instance directory.