Title

ColdFusion must have any unused mappings removed. (Cat II impact)

Discussion

ColdFusion mappings define virtual paths to physical directories that can be accessed by ColdFusion applications. If unused or unnecessary mappings are left configured, they can present an unmonitored and potentially exploitable entry point for attackers. These mappings may inadvertently expose internal files, application code, or sensitive resources that are not intended for public or application-level access. Attackers can leverage such mappings to bypass access controls, perform directory traversal attacks, or gain insight into the server's file structure. Removing unused mappings reduces the attack surface and eliminates access to unnecessary or insecure directories, supporting the principle of least functionality.

Check Content

Verify Mappings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Mappings. 2. For each of the mappings defined, ask the administrator if the mapping is being used by any hosted applications. If any of the mappings are not being used by the hosted applications, this is a finding.

Fix Text

Delete unused mappings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Mappings. 2. Delete any mapping that is not being used by the hosted applications.

Additional Identifiers

Rule ID: SV-279045r1171287_rule

Vulnerability ID: V-279045

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.