PatchSiren cyber security CVE debrief
CVE-2016-5623 Oracle CVE debrief
CVE-2016-5623 is a medium-severity Oracle FLEXCUBE Private Banking issue affecting the Product / Instrument Search subcomponent. Oracle and NVD describe it as an easily exploitable weakness reachable over HTTP by a low-privileged network attacker, with impact limited to confidentiality and integrity of some accessible data. Affected supported versions include 2.0.1, 2.2.0, and 12.0.1.
- Vendor
- Oracle
- Product
- CVE-2016-5623
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Organizations running Oracle FLEXCUBE Private Banking, especially administrators and security teams responsible for the affected supported versions and any deployments exposed to internal or external HTTP access.
Technical summary
The NVD record maps this issue to Oracle FLEXCUBE Private Banking versions 2.0.1, 2.2.0, and 12.0.1 and classifies it as CWE-254. The CVSS v3.0 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4). In practical terms, a low-privileged attacker with network access via HTTP could compromise the application in a way that allows unauthorized read access to some accessible data and unauthorized insert, update, or delete access to some accessible data. No availability impact is listed in the provided record.
Defensive priority
Medium. The issue is network reachable and exploitable with low privileges, but the provided scoring indicates limited confidentiality and integrity impact and no availability impact.
Recommended defensive actions
- Confirm whether Oracle FLEXCUBE Private Banking versions 2.0.1, 2.2.0, or 12.0.1 are in use anywhere in your environment.
- Apply the Oracle January 2017 Critical Patch Update guidance referenced by the vendor advisory for this CVE.
- Review HTTP exposure and restrict access to the affected application and subcomponent to the minimum required set of users and systems.
- Audit the Product / Instrument Search path for unexpected data changes or unauthorized reads consistent with the reported impact.
- Cross-check remediation status against the Oracle and NVD records before closing the issue.
Evidence notes
All claims in this debrief are based on the supplied NVD record and its cited references. The CVE record states the affected Oracle FLEXCUBE Private Banking versions, the low-privilege network/HTTP attack surface, the data confidentiality and integrity impacts, the CVSS v3.0 vector and score, and the CWE-254 classification. Oracle’s January 2017 CPU advisory is listed as a vendor reference in the record.
Official resources
-
CVE-2016-5623 CVE record
CVE.org
-
CVE-2016-5623 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
The CVE record was published on 2017-01-27 and later modified on 2026-05-13. Oracle’s January 2017 Critical Patch Update is cited in the NVD references for this issue.