Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
ColdFusion must not allow application variables to be added to Servlet Context.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-62469 | CF11-05-000164 | SV-76959r1_rule | Medium |
| Description |
|---|
| ColdFusion allows applications to add application variables to the Servlet Context. This allows an application to add data or change configuration data for all hosted applications. By sharing data across applications, the applications are no longer isolated with one application affecting other applications. By disabling this capability, the hosted applications, including the Administrator Console, are isolated. |
| STIG | Date |
|---|---|
| Adobe ColdFusion 11 Security Technical Implementation Guide | 2017-06-15 |
Details
| Check Text ( C-63273r1_chk ) |
|---|
| Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Allow adding application variables to Servlet Context" is checked, this is a finding. |
| Fix Text (F-68389r1_fix) |
|---|
| Navigate to the "Settings" page under the "Server Settings" menu. Uncheck "Allow adding application variables to Servlet Context" and select the "Submit Changes" button. |