CVE-2023-45720 is a medium-severity vulnerability identified in HCL Software's product HCL Leap, specifically affecting versions prior to 9.3.5. The vulnerability arises due to insufficient default configuration settings that permit anonymous users to access directory information without authentication. This exposure falls under CWE-359, which concerns the exposure of private personal information to unauthorized actors. Essentially, the default setup of HCL Leap does not adequately restrict access controls, allowing unauthenticated actors to retrieve potentially sensitive directory data. While no known exploits are currently reported in the wild, the vulnerability represents a privacy risk as unauthorized disclosure of directory information could include personal details of users or organizational structure data. The issue is rooted in configuration defaults rather than a code flaw, indicating that remediation primarily involves configuration changes or applying patches that harden access controls. The lack of authentication requirements and the anonymous access vector increase the risk of information leakage. However, the impact is limited to confidentiality, as there is no indication of integrity or availability compromise. The vulnerability affects all deployments of HCL Leap versions before 9.3.5, which is a platform used for application development and business process automation, often deployed in enterprise environments.

For European organizations using HCL Leap, this vulnerability could lead to unauthorized disclosure of internal directory information, potentially including employee names, roles, contact details, and organizational hierarchy. Such information leakage can facilitate social engineering attacks, spear phishing, or targeted intrusion attempts. The exposure of personal data also raises compliance concerns under the EU's GDPR, as unauthorized access to personal information can lead to regulatory penalties and reputational damage. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face heightened risks. Although the vulnerability does not directly enable system compromise or data manipulation, the confidentiality breach alone can have significant operational and legal consequences. The absence of known exploits reduces immediate risk, but the ease of anonymous access means that attackers could exploit this vulnerability if discovered. Therefore, European enterprises relying on HCL Leap should consider this a moderate threat to their information security posture.

To mitigate this vulnerability, organizations should first verify the version of HCL Leap in use and upgrade to version 9.3.5 or later where the issue is resolved. If immediate upgrading is not feasible, administrators should review and tighten the default configuration settings to restrict anonymous access to directory information. This includes enforcing authentication requirements for directory queries and applying role-based access controls to limit data exposure. Network-level controls such as firewall rules or VPN requirements can further reduce exposure by limiting access to trusted users and networks. Regular audits of access logs and directory queries can help detect unauthorized access attempts. Additionally, organizations should implement data minimization principles to ensure that directory information exposed is limited to what is strictly necessary. Finally, updating internal policies to include vulnerability management and configuration hardening for HCL Leap deployments will help prevent recurrence of similar issues.