ColdFusion must store only encrypted representations of passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279057 | APAS-CF-000335 | SV-279057r1171529_rule | CCI-000196 | medium |
| Description | ||||
| Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When ColdFusion is responsible for creating or storing passwords, ColdFusion must enforce the storage of encrypted representations of passwords. | ||||
| STIG | Date | |||
| Adobe ColdFusion Security Technical Implementation Guide | 2025-12-19 | |||
Details
Check Text (C-279057r1171529_chk)
Verify Proxy Settings.
From the Admin Console Landing Screen, navigate to Server Settings >> Settings.
If a "Proxy Host" is provided with a "Proxy Username" and "Proxy Password", this is a finding.
Fix Text (F-83510r1170944_fix)
Configure Proxy Settings.
1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings.
2. Clear the "Proxy Host", Proxy UserName", and "Proxy Password" fields.
3. Select "Submit Changes".