CVE-2023-37517 in Domino Leap
Summary
by MITRE • 05/01/2025
Missing "no cache" headers in HCL Leap permits sensitive data to be cached.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/31/2025
The vulnerability identified as CVE-2023-37517 affects HCL Leap, a platform used for collaboration and content management. This issue stems from the absence of proper cache control headers in HTTP responses generated by the application. The missing "no cache" headers create a significant security risk by allowing sensitive data to be stored in various caching layers including browser caches, proxy servers, and intermediate network devices. When sensitive information flows through the application without explicit cache control directives, it becomes vulnerable to unauthorized access through cache poisoning attacks or when cached content is served to unintended users.
The technical flaw manifests as a failure to implement proper HTTP cache control mechanisms within the HCL Leap application. According to CWE-527, this represents a weakness where security-relevant information is accessible through mechanisms that should not provide access to such information. The vulnerability specifically impacts the application's ability to prevent caching of sensitive data, creating a condition where confidential information can persist in cached states for extended periods. This flaw directly violates security best practices outlined in the OWASP Top Ten and other industry standards that emphasize the importance of controlling how sensitive data is handled through caching mechanisms.
The operational impact of this vulnerability extends beyond simple data exposure risks. When sensitive information becomes cached, it can be accessed by multiple users who may not have legitimate authorization to view such data. This creates a persistent threat where cached content can be retrieved from various points in the network infrastructure, including CDN caches, enterprise proxy servers, and browser caches of previous users. Attackers can exploit this weakness by leveraging cache poisoning techniques or by simply accessing cached content from compromised systems. The vulnerability also affects the principle of least privilege and can lead to information disclosure that violates compliance requirements for data protection and privacy regulations.
Mitigation strategies for CVE-2023-37517 involve implementing proper HTTP cache control headers in all responses containing sensitive data. Organizations should configure HCL Leap to include headers such as Cache-Control: no-cache, no-store, and must-revalidate to prevent caching of sensitive information. Additionally, implementing Content-Security-Policy headers and ensuring that all authenticated responses include appropriate cache control directives will help address this vulnerability. According to ATT&CK technique T1566, this vulnerability could be exploited through social engineering or direct access attacks that leverage cached sensitive information. Regular security assessments and automated scanning of web applications for missing cache headers should be implemented as part of comprehensive security monitoring. The fix requires modifications to the application's response handling logic to ensure that all sensitive data flows include explicit cache control directives, with particular attention to user session data, personal information, and business-critical content. Organizations should also implement proper logging and monitoring to detect any unauthorized access attempts that may exploit this vulnerability through cached content retrieval.