PatchSiren cyber security CVE debrief
CVE-2017-3280 Oracle CVE debrief
CVE-2017-3280 is a medium-severity Oracle Partner Management issue in Oracle E-Business Suite that affects supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Oracle describes it as an easily exploitable vulnerability reachable over HTTP that requires human interaction and can lead to unauthorized update, insert, or delete access to some Partner Management data. NVD maps the weakness to CWE-20 and rates the issue CVSS 4.7 with integrity impact only.
- Vendor
- Oracle
- Product
- CVE-2017-3280
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application owners, and security teams responsible for Oracle Partner Management instances on the affected versions. Data owners should also care because the impact centers on unauthorized changes to application data.
Technical summary
The NVD record identifies Oracle Partner Management (User Interface subcomponent) as vulnerable to a network-accessible issue over HTTP with no attacker authentication required, but with user interaction required. The attack changes confidentiality and availability are not scored in the CVSS vector; the main concern is integrity impact, consistent with unauthorized data modification. Affected CPEs cover Partner Management versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The weakness is categorized as CWE-20 (improper input validation).
Defensive priority
Medium. The issue is externally reachable and can alter application data, but the published CVSS score is moderate and does not indicate direct confidentiality or availability impact.
Recommended defensive actions
- Confirm whether Oracle E-Business Suite Partner Management is deployed and whether any instance runs one of the affected versions.
- Apply the Oracle January 2017 Critical Patch Update referenced by Oracle as soon as possible on affected systems.
- Review exposed HTTP access paths to Oracle Partner Management and restrict access to trusted networks where feasible.
- Monitor Partner Management records and audit logs for unauthorized inserts, updates, or deletes.
- Validate that application controls, input handling, and user-facing workflow protections are current after patching.
Evidence notes
Based on the NVD CVE record and Oracle advisory references in the supplied corpus. Key evidence: CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, CVSS base score 4.7, CWE-20, and affected CPEs for Oracle Partner Management versions 12.1.1 through 12.2.6. Oracle’s advisory reference is cpujan2017-2881727.
Official resources
-
CVE-2017-3280 CVE record
CVE.org
-
CVE-2017-3280 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
Publicly disclosed on 2017-01-27 in the official CVE/NVD record, with Oracle’s January 2017 Critical Patch Update referenced as the vendor advisory context. NVD later modified the record on 2026-05-13.