CVE-2023-45721 is a medium-severity vulnerability affecting HCL Software's HCL Domino Leap product, versions 1.0 through 1.0.5 and 1.1 through 1.1.3. The vulnerability arises from insufficient default configuration settings that allow anonymous users to access directory information without authentication. This issue is categorized under CWE-359, which pertains to the exposure of private personal information to unauthorized actors. Specifically, the default configuration does not adequately restrict access controls on directory data, enabling any remote attacker to retrieve potentially sensitive directory entries without needing credentials or user interaction. The vulnerability has a CVSS v3.1 base score of 5.3, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), and no impact on integrity or availability (I:N/A:N). There are no known exploits in the wild at this time, and no official patches have been linked yet. The exposure primarily risks confidentiality by allowing unauthorized disclosure of personal or organizational directory information, which could be leveraged for further social engineering or reconnaissance activities.

For European organizations using HCL Domino Leap, this vulnerability poses a risk of unauthorized disclosure of directory information, which may include employee names, roles, contact details, and other personal identifiers. Such exposure can facilitate targeted phishing campaigns, identity theft, or unauthorized access attempts by providing attackers with valuable intelligence. While the vulnerability does not directly compromise system integrity or availability, the leakage of private information can undermine compliance with stringent European data protection regulations such as the GDPR, potentially leading to legal and financial repercussions. Organizations in sectors with high privacy requirements—such as finance, healthcare, and government—are particularly vulnerable to reputational damage and regulatory scrutiny if directory information is exposed. Additionally, the ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic scanning and data harvesting by malicious actors.

To mitigate this vulnerability, European organizations should immediately review and harden the default configuration settings of HCL Domino Leap to restrict anonymous access to directory information. This includes disabling or limiting guest or anonymous user permissions on directory services and enforcing authentication mechanisms for directory queries. Network-level controls such as firewall rules or access control lists (ACLs) should be applied to restrict access to the HCL Domino Leap service to trusted internal IP ranges or VPN users only. Organizations should monitor logs for unusual or unauthorized directory access attempts and implement alerting for anomalous activity. Since no official patches are currently available, organizations should engage with HCL Software support for guidance on interim configuration changes or upcoming patches. Additionally, conducting an inventory of exposed directory data and minimizing stored personal information to only what is necessary can reduce the risk surface. Regular security assessments and penetration testing focused on access controls for directory services are recommended to ensure ongoing protection.