PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3274 Oracle CVE debrief

CVE-2017-3274 is a high-severity vulnerability in Oracle Email Center for Oracle E-Business Suite. Oracle and NVD describe it as exploitable over HTTP by an unauthenticated network attacker, but successful exploitation requires user interaction from someone other than the attacker. The issue affects supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. According to the published description, successful attacks can expose critical data and allow unauthorized modification of some Email Center-accessible data.

Vendor
Oracle
Product
CVE-2017-3274
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and defenders responsible for any environment running Oracle Email Center—especially internet-facing or broadly reachable deployments—should treat this as a priority issue.

Technical summary

NVD rates the issue CVSS v3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). That means the attack path is network-based, does not require attacker privileges, and depends on a victim action. The listed impact includes high confidentiality risk and limited integrity impact, with no direct availability impact recorded. NVD also maps the weakness as NVD-CWE-noinfo, so the public record does not provide a more specific CWE classification.

Defensive priority

High. Prioritize remediation for any Oracle E-Business Suite deployment with Oracle Email Center enabled, and treat exposed or externally reachable instances as urgent because exploitation is network-reachable and requires no attacker authentication.

Recommended defensive actions

  • Check whether any Oracle E-Business Suite instances run Oracle Email Center versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
  • Review the Oracle January 2017 Critical Patch Update advisory referenced in the record and apply the vendor-recommended fix for affected systems.
  • Restrict access to Oracle Email Center to only trusted users and networks while remediation is underway.
  • Monitor for unusual Email Center activity, especially interactions that could indicate user-assisted exploitation.
  • Validate whether any dependent or adjacent Oracle products may also be affected, since the vulnerability description notes broader potential impact.
  • Track patch status across all environments and confirm remediation in both production and non-production systems.

Evidence notes

The supplied record states: "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Email Center" and that successful attacks require human interaction. It also lists affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. NVD provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and the base score 8.2. The record also points to Oracle CPU Jan 2017 as the vendor advisory/patch reference.

Official resources

Publicly disclosed on 2017-01-27 per the supplied CVE publication timestamp. The record was later modified by NVD on 2026-05-13, which should be treated as a database update rather than the original disclosure date.