PatchSiren cyber security CVE debrief

CVE-2017-3245 Oracle CVE debrief

CVE-2017-3245 is a medium-severity information disclosure issue in Oracle FLEXCUBE Direct Banking, specifically the Pre-Login component. According to the CVE record, an unauthenticated attacker with network access via HTTP can exploit the flaw, but successful attacks require human interaction from a different person. The documented impact is unauthorized read access to a subset of accessible data in affected versions 12.0.2 and 12.0.3.

Vendor: Oracle
Product: CVE-2017-3245
CVSS: MEDIUM 4.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle FLEXCUBE Direct Banking administrators, banking application owners, vulnerability management teams, and SOC analysts responsible for internet-facing pre-login HTTP services.

Technical summary

NVD lists this issue as CVSS 3.0 4.7 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N) with CWE-200. The affected CPEs are Oracle FLEXCUBE Direct Banking 12.0.2 and 12.0.3. The CVE description states the flaw is in the Pre-Login component, is reachable over HTTP, does not require authentication, and can disclose a subset of accessible data; it also notes that attacks may significantly impact additional products and require human interaction.

Defensive priority

Medium: prioritize exposed Oracle FLEXCUBE Direct Banking deployments, especially pre-login HTTP endpoints, because the issue is network-reachable, unauthenticated, and can leak sensitive data.

Recommended defensive actions

Verify whether Oracle FLEXCUBE Direct Banking 12.0.2 or 12.0.3 is deployed in your environment.
Check Oracle's January 2017 Critical Patch Update advisory referenced by NVD for vendor remediation guidance.
Reduce exposure of pre-login HTTP access paths where feasible, especially for internet-facing deployments.
Review access logging and monitoring around FLEXCUBE pre-login activity for unexpected requests or information exposure.
If the product is in scope, coordinate upgrade or patch application through normal change management and validation processes.

Evidence notes

This debrief is based on the CVE record and NVD entry supplied in the source corpus. The record states the vulnerability is in Oracle FLEXCUBE Direct Banking Pre-Login, affects versions 12.0.2 and 12.0.3, is exploitable over HTTP by an unauthenticated attacker, requires user interaction, and can lead to unauthorized read access to a subset of accessible data. NVD also maps the issue to CWE-200 and CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. Oracle's January 2017 CPU advisory is referenced by NVD, but the advisory body text was not provided in the corpus.

Official resources

CVE-2017-3245 CVE record
CVE.org
CVE-2017-3245 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

CVE published 2017-01-27T22:59:02.477Z; NVD record modified 2026-05-13T00:24:29.033Z. The publication date is the CVE issue date used here, not the later modification date.