PatchSiren cyber security CVE debrief

CVE-2017-3278 Oracle CVE debrief

CVE-2017-3278 affects Oracle E-Business Suite’s Oracle One-to-One Fulfillment component, specifically Request Confirmation, in version 12.1.3. Oracle and NVD describe it as an easily exploitable network-accessible issue over HTTP that still requires human interaction from someone other than the attacker. The impact is primarily confidentiality and integrity, with potential unauthorized access to critical data and unauthorized data modification within One-to-One Fulfillment-accessible data. The CVSS v3.0 base score is 8.2 (High).

Vendor: Oracle
Product: CVE-2017-3278
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for Oracle E-Business Suite 12.1.3, especially environments exposing One-to-One Fulfillment or related request-confirmation workflows over HTTP. Data owners should also care because the issue can expose or alter application data.

Technical summary

NVD maps CVE-2017-3278 to cpe:2.3:a:oracle:one-to-one_fulfillment:12.1.3 and rates it CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. In practical terms, the flaw is reachable remotely, needs no privileges, but does require user interaction. The published impact is significant confidentiality exposure and some integrity impact, while availability is not rated as impacted in the provided CVSS vector.

Defensive priority

High for any exposed Oracle E-Business Suite 12.1.3 deployment. The combination of remote reachability, no privileges, and high confidentiality impact makes this a strong patching and exposure-review candidate, even though user interaction is required.

Recommended defensive actions

Identify whether Oracle E-Business Suite 12.1.3 and the One-to-One Fulfillment Request Confirmation component are deployed.
Check Oracle’s January 2017 CPU advisory referenced by NVD for the applicable fix and update guidance.
Prioritize patching or upgrading affected systems according to Oracle maintenance guidance.
Restrict or monitor HTTP access to the affected application paths and confirm only intended users can reach the workflow.
Review logs for unusual request-confirmation activity and any unexpected data access or modification attempts.
Validate that compensating controls are in place wherever immediate patching is not possible.

Evidence notes

This debrief is based on the supplied NVD record and its listed references. NVD’s modified record shows the vulnerable CPE for oracle:one-to-one_fulfillment:12.1.3 and the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The record also references Oracle’s January 2017 security advisory (CPU Jan 2017) and third-party advisories. No KEV listing was supplied, and no exploit details beyond the official vulnerability description are used here.

Official resources

CVE-2017-3278 CVE record
CVE.org
CVE-2017-3278 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

CVE-2017-3278 was published on 2017-01-27 22:59:03.537Z. The supplied record was last modified on 2026-05-13 00:24:29.033Z, which is a record-update timestamp and not the vulnerability’s original issue date.