CVE-2022-38654 is an information disclosure vulnerability affecting HCL Software's HCL Domino versions 9 through 12. The vulnerability arises from the way the Domino server processes local calls to search its directory. Specifically, in certain scenarios, these local calls bypass the extended Access Control List (xACL) read restrictions that are intended to protect sensitive user attributes stored in the Domino directory. As a result, an attacker with authenticated access to the Domino server can exploit this flaw to retrieve sensitive attributes from a user's person record, which should normally be protected. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS 3.1 base score is 5.5 (medium severity), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This means the attack requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), but no user interaction (UI:N). The impact is high on confidentiality (C:H), with no impact on integrity or availability. There are no known exploits in the wild at this time, and no official patches have been linked in the provided data. The vulnerability affects multiple major versions of HCL Domino, a widely used enterprise collaboration and messaging platform, often deployed in corporate environments for email, calendaring, and directory services. The flaw could allow an attacker to harvest sensitive user information, potentially leading to further targeted attacks or privacy violations.

For European organizations using HCL Domino, this vulnerability poses a significant risk to the confidentiality of sensitive user data stored within the Domino directory. Since the flaw allows authenticated attackers to bypass read restrictions, insider threats or compromised accounts could lead to unauthorized disclosure of personal or corporate information. This exposure could include personally identifiable information (PII), organizational roles, or other sensitive attributes, which may be leveraged for social engineering, identity theft, or lateral movement within the network. The impact is particularly critical for sectors with stringent data protection requirements under GDPR, such as finance, healthcare, and government agencies. Unauthorized disclosure could result in regulatory penalties, reputational damage, and loss of customer trust. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have severe operational and compliance consequences. The absence of known exploits reduces immediate risk, but the medium severity score and ease of exploitation by authenticated users warrant prompt attention.

1. Restrict access to HCL Domino servers to trusted personnel only, minimizing the number of accounts with authenticated access to the server environment. 2. Implement strict account management policies, including multi-factor authentication (MFA) for all users with access to Domino servers, to reduce the risk of compromised credentials. 3. Review and tighten xACL configurations and directory access permissions to ensure minimal necessary privileges are granted, and verify that no unnecessary local calls can bypass these restrictions. 4. Monitor Domino server logs for unusual directory search activities or access patterns that could indicate exploitation attempts. 5. If possible, isolate the Domino directory service from other network segments to limit lateral movement in case of compromise. 6. Engage with HCL Software support or security advisories to obtain any patches or updates addressing this vulnerability as they become available, and plan for timely deployment. 7. Conduct regular security audits and penetration testing focused on directory access controls within the Domino environment to proactively identify and remediate weaknesses. 8. Educate administrators and users about the risks of credential compromise and the importance of safeguarding access to the Domino infrastructure.