Title

ColdFusion must ensure that ColdFusion Package Manager (cfpm) packages are transmitted using encrypted protocols. (Cat II impact)

Discussion

The cfpm is used to manage various packages and modules that extend the functionality of the ColdFusion server. If these packages are downloaded or transmitted over unencrypted channels, they are susceptible to interception and tampering by malicious actors. This can lead to the introduction of malicious code, unauthorized access, and other security breaches. By ensuring that cfpm packages are transmitted using encrypted protocols, such as HTTPS, the integrity and confidentiality of the packages are maintained. This practice helps protect the server from potential threats and ensures that only trusted and verified packages are installed.

Check Content

Verify Package Manager Settings. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. If any Site URL is configured with an "HTTP" , this is a finding.

Fix Text

Configure Package Manager Settings. 1. From the Admin Console Landing Screen, navigate to Package Manager >> Settings. 2. Enter an "HTTPS" entry into each of the Site URL fields. 3. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279097r1171591_rule

Vulnerability ID: V-279097

Group Title: SRG-APP-000440-AS-000167

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.